Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 13.4.1, 13.6-rc-1, 12.10.9
Affects Version/s: 13.4, 12.10.8
Component/s: Security
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Click on "Forgot your password?" on the login screen
Open http://localhost:8080/xwiki/bin/view/XWiki/ResetPassword or http://localhost:8080/xwiki/authenticate/reset and add an invalid password

Result: the platform confirms if the user exists or not (on 12.10.8 and 13.4).

Expected result: a generic message concerning the password without confirming if the user exists or not (e.g. "If the account is registered on the application, you will receive a dedicated message").

Attachments

Issue Links

is related to

XWIKI-18384 The "Forgot your username?" form offers too much information concerning user accounts

Closed

relates to

XWIKI-18384 The "Forgot your username?" form offers too much information concerning user accounts

Closed

links to

Github security advisory

Activity

People

Assignee:: Simon Urli

Reporter:: Elena-Oana Florea

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/Jun/21 13:42

Updated:: 07/Jul/22 11:31

Resolved:: 29/Jun/21 10:03