Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.5.6, 5.6.5
-
None
Description
Using the forgotten password feature in Confluence it is possible to find out which email addresses are stored in the system from the responses given from the form when submitted.
These responses need to be made generic so that it is not possible to tell which email addresses are or are not stored in the database.
Attachments
Issue Links
- is caused by
-
JRACLOUD-65725 Username enumeration using the Login page in OnDemand
- Closed
- is duplicated by
-
CONFSERVER-22388 "Forgot Password" feature should not reveal that a given username exists within Confluence for security reason
- Closed