username leak. remove "user found" from login page
Closed this issue · 2 comments
emmettownsend commented
anyone can scrape usernames from an NSS service by using the login page, since it discloses “user found”. (CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) )
emmettownsend commented
Davi found this defect yesterday.
Looks like it could be fixed by just changing the error message sent back to the browser to something like...'The username and password combination is not valid'
bourgeoa commented
Thanks for reporting.