Defect #37517

User disclosure vulnerability via "Forgot password" functionality

Added by Alberto Guerrero 19 days ago. Updated 6 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution:Duplicate Affected version:


The redmine application reveals the existing users in the system database and their current status by using the "forgot password" functionality, as different messages will appear when entering your email to recover your password if the user in the email is pending approval, does not correspond to any user or is assigned to an active user.

This could therefore help attackers to perform more sophisticated and targeted brute force attacks.

Solution: Display the same message when executing this functionality, without differentiating whether the user exists, is pending approval or is incorrect.

Related issues

Duplicates Redmine - Defect #6254: Remove 'invalid user' notification on password request wi... New 2010-08-31


#1 Updated by Mischa The Evil 6 days ago

  • Duplicates Defect #6254: Remove 'invalid user' notification on password request with invalid e-mailadress added

#2 Updated by Mischa The Evil 6 days ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Thanks for filing this issue. Though, a similar request is already being tracked as issue #6254. As such I am closing this issue as a duplicate of it.

Also available in: Atom PDF