[XWIKI-18384] The "Forgot your username?" form offers too much information concerning user accounts - XWiki.org JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.11.9
Fix Version/s: 12.10.5, 13.2-rc-1
Component/s: None
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Click on "Forgot your username?" on the login screen
Open http://<server>/xwiki/bin/view/XWiki/ForgotUsername and add both a valid email associated to an user and an invalid email

Result: the platform confirms if the user exists or not.

Expected result: a generic message concerning the user without confirming if it exists or not (e.g. "If the account is registered on the application, you will receive a dedicated message").

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

InvalidUserResult.png
59 kB
24/Feb/21 16:25
ValidUserResult.png
48 kB
24/Feb/21 16:25

Issue Links

is related to

XWIKI-18787 The "Forgot your password?" form offers too much information concerning user accounts

Closed

relates to

XWIKI-18408 ForgotUsername is not protected against CSRF

Closed

XWIKI-18787 The "Forgot your password?" form offers too much information concerning user accounts

Closed

links to

Github security advisory

Activity

People

Assignee:: Simon Urli

Reporter:: Elena-Oana Florea

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Feb/21 16:27

Updated:: 07/Jul/22 11:31

Resolved:: 09/Mar/21 14:20