Missing rate limit on password reset function
Hi,
The functionnality "Forgot your password ?" miss a human test, a captcha or rate limit.
Vulnerable url: http://xxx.xxxxxxxxxxxx.xxx/............
{}
The functionality can be used to email spam a known user.
- limit the functionality to x attempts in a predefined period before blocking the account
- set up a captcha to prevent robots
Best regards,
Gwen