Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.10.4, 13.1-rc-1
-
Component/s: Administration
-
Labels:None
-
Difficulty:Unknown
-
Documentation:N/A
-
Documentation in Release Notes:N/A
-
Similar issues:
Description
It's possible to perform a ForgotUsername request without needing a CSRF token:
http://127.0.0.1:8080/xwiki/bin/view/XWiki/ForgotUsername?e=aaa%22bbb%27ccc%3Eddd%3Ceee (before XWiki 13.1)
http://127.0.0.1:8080/xwiki/bin/view/Main/WebHome?e=aaa%22bbb%27ccc%3Eddd%3Ceee&vm=forgotusername.vm&skin=default&xpage=xpart&language=en (since XWiki 13.1)
Attachments
Issue Links
- is related to
-
XWIKI-18384 The "Forgot your username?" form offers too much information concerning user accounts
-
- Closed
-
- links to