Email enumeration vulnerability on "Password Reset" dialogue

RGJ · August 1, 2023, 7:52am

Enable Admin - Settings - Login - hide email address taken

hide email address taken

Don’t inform users that an account exists with a given email address during signup or during forgot password flow. Require full email for ‘forgotten password’ requests.

See also Different password reset for wrong username/email (2014 )

Edit @JammyDodger was 40 seconds faster

Topic		Replies	Views
Different password reset for wrong username/email feature	65	26941	August 4, 2023
Two emails for one user feature	49	14323	June 20, 2017
Please restore email digests feature	47	6582	June 20, 2017
Configure Discourse - Environment AWS Linux 2 AMI and Apache2 (httpd) installation advanced-setup	3	1447	July 7, 2023
Any mass email functionality? feature	50	14217	October 27, 2020

Email enumeration vulnerability on "Password Reset" dialogue

hide email address taken

Related Topics