Details
-
Type:
Problem report
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 4.0.1
-
Fix Version/s: 3.0.25rc1, 4.0.3rc1, 4.2.0alpha2, 4.2 (plan)
-
Component/s: API (A)
-
Labels:
-
Team:Team B
-
Sprint:Sprint 46, Nov 2018, Sprint 47, Dec 2018
-
Story Points:0.5
Description
Steps to reproduce:
- Use an ipv6 internet connection
- Navigate to login screen
- Use a valid username with a wrong password
- Click "Sign in"
Result:
See screenshot...
This in fact an information disclosure vulnerability, since you can search for existing user accounts that way. I asked for an alternative way to submit this issue, but didn't get an answer for about two weeks.