Published: Jan 19, 2011
Version: 1.0
Maximum Severity Rating: Low Background
DotNetNuke supports the ability for the user to get a copy of their password emailed out if they have forgotten it. Issue Summary
The messages returned from the forgot password utility were too detailed, and could be used to identify the existance of user accounts. Mitigating factors
This only affects sites where the forgot password utility is used. If the authentication provider does not support this, or has enablePasswordRetrieval set to false in web.config, no action is required. Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Acknowledgments
Security Policy
Click here to read more details on the DotNetnuke Security Policy