Email enumeration vulnerability on "Password Reset" dialogue

RGJ · August 1, 2023, 7:52am

Enable Admin - Settings - Login - hide email address taken

hide email address taken

Don’t inform users that an account exists with a given email address during signup or during forgot password flow. Require full email for ‘forgotten password’ requests.

See also Different password reset for wrong username/email (2014 )

Edit @JammyDodger was 40 seconds faster

Topic		Replies	Views
Different password reset for wrong username/email Feature	65	27663	August 4, 2023
Two emails for one user Feature	49	14807	June 20, 2017
Please restore email digests Feature	47	6856	June 20, 2017
Configure Discourse - Environment AWS Linux 2 AMI and Apache2 (httpd) Installation advanced-setup	3	2007	July 7, 2023
Any mass email functionality? Feature	50	14528	October 27, 2020

Email enumeration vulnerability on "Password Reset" dialogue

hide email address taken

Related topics