Feeling Lucky
?
[#31892] - [3] User Enumeration on frontend "Forgot your password"
- Closed
- 8 Jan 2021
- Medium
- Build: staging
- # 31892
Steps to reproduce the issue
Use "Forgot your password" on frontend of Joomla 4 beta 6
enter a valid syntax email of a non-user Eg : No-Such-Email@example.com
Click Submit
Expected result
"If a user matched that email address then we sent an email to them"
Actual result
"Reset password failed: Invalid email address" because no user matched that email address
System information (as much as possible)
Additional comments
Note that if a user EXISTS with the email address provided then the page redirects to
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
PhilETaylor
- comment
- 8 Jan 2021
I was asked to test Joomla 4 beta 6 - so I did and reported what I found.
As the JSST are so slow to respond to any security issue reported, Im not surprised. The last time I asked for an update (October 2020) I was told that TEN of my reports were still outstanding and unresolved.
| Title |
|
||||||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-01-08 16:09:46 |
| Closed_By | ⇒ | wilsonge |
PhilETaylor
- comment
- 8 Jan 2021
/facepalm...
| Title |
|
||||||
This code is line for line the same as j3. I haven't tested but struggle to believe this is j4 specific