Task #105863
closedRemove exposeNonexistentUserInForgotPasswordDialog setting in ext:felogin
100%
Description
When the setting exposeNonexistentUserInForgotPasswordDialog
in ext:felogin is set to true
, the password recovery process for frontend users will expose, if the given username or email address is found in the fe_users
table. Although the setting is disabled by default, enabling it will allow user enumeration and may rise privacy concerns. Instead of providing an option that could lead to insecure setups, TYPO3 should adopt secure defaults and remove the possibility for administrators to inadvertently compromise security.
Updated by Gerrit Code Review about 2 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87594
Updated by Torben Hansen about 1 month ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 6c2af8a43506d2107b82f17c866c2c0c6eed2b02.