Login to weblate with a valid email, but wrong password
Actual behaviour
Weblate displays: "User with this email address was not found."
Expected behaviour
Weblate displays: "Invalid password or username / email address"
Displaying that a user with this email address is not found, makes it possible to do user enumeration to figure out if an account exists. Since dumps of password / email address are widely available and password re-use is a thing, displaying if an account is on the server is a valid thread.
The login form also does not seem to implement any rate-limiting which makes it easy to bruteforce.
Server configuration
Standard.
The text was updated successfully, but these errors were encountered:
Steps to reproduce
Actual behaviour
Weblate displays: "User with this email address was not found."
Expected behaviour
Weblate displays: "Invalid password or username / email address"
Displaying that a user with this email address is not found, makes it possible to do user enumeration to figure out if an account exists. Since dumps of password / email address are widely available and password re-use is a thing, displaying if an account is on the server is a valid thread.
The login form also does not seem to implement any rate-limiting which makes it easy to bruteforce.
Server configuration
Standard.
The text was updated successfully, but these errors were encountered: