generic response message in lost password functionality to avoid acco…

…unt enumeration
zikula · Jan 3, 2022 · 33ede73 · 33ede73
1 parent 09a396e
commit 33ede73
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
@@ -7,6 +7,7 @@
 
 - Fixes:
   - [Admin] Sanitize extension title in admin panel.
+  - [ZAuth] Generic response message in lost password functionality to avoid account enumeration.
 
 - Features:
   - _there should be none_

diff --git a/src/system/ZAuthModule/Controller/AccountController.php b/src/system/ZAuthModule/Controller/AccountController.php
@@ -235,7 +235,7 @@ public function lostPasswordResetAction(
         /** @var UserEntity $user */
         $user = $userRepository->find($requestDetails['userId']);
         if (null === $user) {
-            $this->addFlash('error', 'User not found. Please contact a site administrator for assistance.');
+            $this->addFlash('error', 'If an account exists with that email or username, a password reset will be sent to it.');
 
             return $this->redirectToRoute($redirectToRoute);
         }