•  
      request #14709 Lost password procedure can be used to spam a user
    Infos
    #14709
    Thomas Gerbet (tgerbet)
    2020-06-16 12:24
    2020-03-23 09:44
    15879
    Details
    Lost password procedure can be used to spam a user

    An annoying user only knowing the username of another user can use the "Lost password" procedure to send him/her a lot of mails.

    Besides being annoyed by those emails, there is not much risk with them: the content of the emails is not under the control of the annoying user and it is not a DoS risk (password procedure still works and the legitimate user can still login).

     

    Credits

    Issue has been reported by Ronit Bhatt via the security bug report procedure.

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2020-06-16
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-03-24 11:22
    Adding credits.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes