You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The password for the email account set up in the wiki is sent to the user in the password field. This can be viewed by changing the password field type to text in developer tools, using javascript, by inspecting the response data, or by inspecting network traffic if https isn't used. There's no reason to send that data to the user, it should only be transmitted if the user is updating it.
Steps to reproduce the behavior:
Have an email address configured. In the mail section of administration, inspect the password field using your browser's developer tools and modify the type parameter to text, remove it, or enter an unsupported value. You will see the password associated with the email account.
Expected behavior
No password should ever be sent to the user. One possibility is to have a placeholder value filled into the field. This will signal to the user that a value is stored, without revealing the actual password.
Host Info
OS: Ubuntu Linux (bionic) 18.04 x64
Wiki.js version: 2.0.0-beta.303
Database engine: PostgreSQL 10.10
The text was updated successfully, but these errors were encountered:
The password for the email account set up in the wiki is sent to the user in the password field. This can be viewed by changing the password field type to text in developer tools, using javascript, by inspecting the response data, or by inspecting network traffic if https isn't used. There's no reason to send that data to the user, it should only be transmitted if the user is updating it.
Steps to reproduce the behavior:
Have an email address configured. In the mail section of administration, inspect the password field using your browser's developer tools and modify the type parameter to text, remove it, or enter an unsupported value. You will see the password associated with the email account.
Expected behavior
No password should ever be sent to the user. One possibility is to have a placeholder value filled into the field. This will signal to the user that a value is stored, without revealing the actual password.
Host Info
The text was updated successfully, but these errors were encountered: