Feeling Lucky
?
[#31893] - [3] User Enumeration on frontend "Forgot your username"
- Closed
- 8 Jan 2021
- Medium
- Build: staging
- # 31893
Steps to reproduce the issue
Joomla 4 beta 6 tested
Frontend click "Forgot your username"
Enter a syntax valid email address of a non-registered user - Eg No-Such-Email@example.com
Click Submit
Expected result
"If a user was found with that email address, then we have sent them an email"
Actual result
User Enumeration ability based on response.
"Reminder failed: User not found."
System information (as much as possible)
Additional comments
Note that if you use a email address of a registered user you get a different message
joomla-cms-bot
- | Labels |
Added:
?
|
||
PhilETaylor
- comment
- 8 Jan 2021
ok well Ive emailed security@joomla.org ... fingers crossed they make it for Joomla 3.9.24 as well then....
PhilETaylor
- comment
- 8 Jan 2021
Its insane that this type of security issue has been around for years though....
| Title |
|
||||||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-01-08 16:09:35 |
| Closed_By | ⇒ | wilsonge |
| Title |
|
||||||
Again the remind model is line for line the same as j3 so likely exists there too and not j4 specific