Security Glitch: User is able to reset password without even login.
Steps:
1. enter the url: https://www.bugheist.com/accounts/password/reset/
2. Enter the email id of any user or try automate script by entering 1000 of email id's.
3. The password reset mail will be delivered to the email id's which exists in the system.
It will be a bug threat for any website when any user can send 100 of emails for reset password.
There should be if condition on screen (Secured information screen) that user must be logged in the website to view that screen
791
Imps //www bugMEIKum/zuountS/passwmd[133:4]
BugHegâst
Please oumaa us Ifyou have any trouble reselling your passvmm
- anuw us on Twine!
- Like us on oneman