The username of an account can be ..
None
Vulnerability Details
Hello,
## Description:
The username of an account can be set to `..`. This makes it impossible to view the public profile of this account.
## POC:
I have claimed the username `..` on the demo.weblate.org site. It is impossible to view this account's public profile page.
Here is the public profile page: https://demo.weblate.org/user/../
## Mitigation
I recommend you filtering usernames to prevent them from starting with `.`.
Thanks!
Actions
View on HackerOneReport Stats
- Report ID: 243609
- State: Closed
- Substate: resolved
- Upvotes: 4