Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-34700

Forgotten password features leaks information to the user that could be used to gain unauthorised access to Confluence

    XMLWordPrintable

Details

    Description

      Using the forgotten password feature in Confluence it is possible to find out which email addresses are stored in the system from the responses given from the form when submitted.

      These responses need to be made generic so that it is not possible to tell which email addresses are or are not stored in the database.

      Attachments

        1. bademail.png
          bademail.png
          33 kB
        2. genericerror.png
          genericerror.png
          29 kB
        3. genericyes.png
          genericyes.png
          20 kB

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-65725 Username enumeration using the Login page in OnDemand

          • Low - Low priority issues
          • Closed
          is duplicated by

          Suggestion - CONFSERVER-22388 "Forgot Password" feature should not reveal that a given username exists within Confluence for security reason

          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              mtang Minh Tang (Inactive)
              shaffenden Steve Haffenden (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: