You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A recent security test identified that the "forgot your password?" page at /account/forgotpassword can cause large numbers of numbers of emails to be sent to the entered address, if it uses registered user's email.
See https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html which recommends protecting such functionality with rate limiting and CAPTCHA.
I don't think we need to add another option to the reCAPTCHA integration (see https://www.cloudscribe.com/google-recaptcha-integration ) - I suggest if this is automatically configured we apply it to the /account/forgotpassword page.
The text was updated successfully, but these errors were encountered:
A recent security test identified that the "forgot your password?" page at /account/forgotpassword can cause large numbers of numbers of emails to be sent to the entered address, if it uses registered user's email.
See https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html which recommends protecting such functionality with rate limiting and CAPTCHA.
I don't think we need to add another option to the reCAPTCHA integration (see https://www.cloudscribe.com/google-recaptcha-integration ) - I suggest if this is automatically configured we apply it to the /account/forgotpassword page.
The text was updated successfully, but these errors were encountered: