Project

General

Profile

Actions
Copy link

Defect #37517

closed

User disclosure vulnerability via "Forgot password" functionality

Added by Alberto Guerrero almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

The redmine application reveals the existing users in the system database and their current status by using the "forgot password" functionality, as different messages will appear when entering your email to recover your password if the user in the email is pending approval, does not correspond to any user or is assigned to an active user.

This could therefore help attackers to perform more sophisticated and targeted brute force attacks.

Solution: Display the same message when executing this functionality, without differentiating whether the user exists, is pending approval or is incorrect.

Related issues

Is duplicate of Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addressClosedGo MAEDA

Actions
Actions
Copy link

Also available in: Atom PDF