[
https://issues.apache.org/jira/browse/SYNCOPE-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18089592#comment-18089592
]
ASF subversion and git services commented on SYNCOPE-1974:
----------------------------------------------------------
Commit 253c475638aa4f5ed3de6ec8af0c1080e38270cc in syncope's branch
refs/heads/master from Massimiliano Perrone
[ https://gitbox.apache.org/repos/asf?p=syncope.git;h=253c475638 ]
[SYNCOPE-1974] Avoid password reset user enumeration (#1416)
> Harden password reset errors against user enumeration
> -------------------------------------------------------
>
> Key: SYNCOPE-1974
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1974
> Project: Syncope
> Issue Type: Improvement
> Reporter: Massimiliano Perrone
> Assignee: Massimiliano Perrone
> Priority: Major
> Fix For: 4.0.7, 4.1.2, 5.0.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Password reset responses should be hardened to avoid exposing whether a
> submitted username or email address matches an existing user account.
> Add a configurable option to return a generic password reset response when
> the submitted account identifier is unknown or invalid, while preserving
> backward compatibility for existing deployments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
