Skip to content

Failing SMTP connection might result in information disclosure in password recovery #17091

New issue
New issue
Closed
Closed
Failing SMTP connection might result in information disclosure in password recovery#17091
Assignees
geekdenz
Labels
Help wantedBeginner friendly issues or issues where we'd highly appreciate community's help and involvement.c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
4.5.0
@sgiehl

Description

@sgiehl
sgiehl
opened on Jan 14, 2021

When the SMTP connection is not set up correctly, or failing due to other reasons like #17026, requesting for password recovery currently displays the full error message returned from the SMTP server. This could for example include the sender mail address or the login.
As the password recovery is public available we should consider not showing the full error message in this case.

Metadata

Metadata

Assignees

Labels

Help wantedBeginner friendly issues or issues where we'd highly appreciate community's help and involvement.c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions