It is possible to enumerate usernames via the forgot password functionality
Update to version 10.1.3 or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch
10.1.3
Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.
https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/
Impact
It is possible to enumerate usernames via the forgot password functionality
Patches
Update to version
10.1.3or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patchWorkarounds
Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.
References
https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/