The password recovery let users know whether an email address exists or not in the website

URL: https://apps.nextcloud.com/password/reset/ I have tried to recover the password for some emails: [email protected] (exists) [email protected] (does not exists) After I clicked the "reset my password"'s button, the website informed that the email did not exist. ## Impact This is a bad practice, and it is an invitation to brute force emails that possibly exist in the domain @nextcloud.com. By using a wordlist of common passwords, it is possible to guess a combination of email/password of an administrator account.