tillo
Verified User
A low risk vulnerability affects the CMD_LOST_PASSWORD function, optionally activated by the lost_password setting.
Username enumeration is possible: while existing usernames are treated as expected, invalid usernames show an error. While this kind of behavior is very common, it is in fact quite dangerous and often used by attackers to guess valid account names.
The application should continue normally without informing the user if the username was or not correct.
Username enumeration is possible: while existing usernames are treated as expected, invalid usernames show an error. While this kind of behavior is very common, it is in fact quite dangerous and often used by attackers to guess valid account names.
The application should continue normally without informing the user if the username was or not correct.
