•  
      request #14709 Lost password procedure can be used to spam a user
    Infos
    #14709
    Thomas Gerbet (tgerbet)
    2020-06-16 12:24
    2020-03-23 09:44
    15658
    Details
    Lost password procedure can be used to spam a user

    An annoying user only knowing the username of another user can use the "Lost password" procedure to send him/her a lot of mails.

    Besides being annoyed by those emails, there is not much risk with them: the content of the emails is not under the control of the annoying user and it is not a DoS risk (password procedure still works and the legitimate user can still login).

     

    Credits

    Issue has been reported by Ronit Bhatt via the security bug report procedure.

    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2020-06-16
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      Joris MASSON (jmasson)2020-06-16 12:24
      gerrit #19235 integrated into Tuleap 11.15.99.137

      • Status changed from Verified to Closed
      • Connected artifacts
      • Close date set to 2020-06-16
    • User avatar
      Joris MASSON (jmasson)2020-06-15 14:33
      gerrit #19193 integrated into Tuleap 11.15.99.130
    • User avatar
      Thomas Gerbet (tgerbet)2020-03-24 11:22
      Adding credits.

      • Original Submission
        Something went wrong, the follow up content couldn't be loaded
        Only formatting have been changed, you should switch to markup to see the changes