Impact
Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account.
Patches
Sentence displayed after resetting password no longer shows if the user exists or not.
Workarounds
Overload dictionary entry "UI:ResetPwd-Error-WrongLogin" through an extension and replace it with a generic message.
References
Credits
Huge thanks to @worty-syn for reporting this.
For more information
If you have questions or comments about this advisory:
Email us at [email protected]
Impact
Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account.
Patches
Sentence displayed after resetting password no longer shows if the user exists or not.
Workarounds
Overload dictionary entry
"UI:ResetPwd-Error-WrongLogin"through an extension and replace it with a generic message.References
Credits
Huge thanks to @worty-syn for reporting this.
For more information
If you have questions or comments about this advisory:
Email us at [email protected]