Disabled user can reset their password
None
Vulnerability Details
Steps:
1) Create user and disable the account
2) Goto reset password and enter disabled user's email address. Password reset link sent and he can reset the password using that link.
The point is : Disabled user can still access their account via reset password page. This is a very minor issue
Actions
View on HackerOneReport Stats
- Report ID: 261297
- State: Closed
- Substate: resolved
- Upvotes: 7