Defect #37517
closed
User disclosure vulnerability via "Forgot password" functionality
0%
Description
The redmine application reveals the existing users in the system database and their current status by using the "forgot password" functionality, as different messages will appear when entering your email to recover your password if the user in the email is pending approval, does not correspond to any user or is assigned to an active user.
This could therefore help attackers to perform more sophisticated and targeted brute force attacks.
Solution: Display the same message when executing this functionality, without differentiating whether the user exists, is pending approval or is incorrect.
Related issues
Updated by Mischa The Evil almost 3 years ago
- Is duplicate of Defect #6254: Remove "Unknown user" notification on password request with non-existent email address added
Updated by Mischa The Evil almost 3 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
Thanks for filing this issue. Though, a similar request is already being tracked as issue #6254. As such I am closing this issue as a duplicate of it.