From 33ede7318ef590a690ced11bbd5d76bed5d37286 Mon Sep 17 00:00:00 2001
From: Axel Guckelsberger <info@guite.de>
Date: Mon, 3 Jan 2022 11:17:08 +0100
Subject: [PATCH] generic response message in lost password functionality to
 avoid account enumeration

---
 CHANGELOG-3.0.md                                        | 1 +
 src/system/ZAuthModule/Controller/AccountController.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
index 67f590971e..196940e316 100644
--- a/CHANGELOG-3.0.md
+++ b/CHANGELOG-3.0.md
@@ -7,6 +7,7 @@
 
 - Fixes:
   - [Admin] Sanitize extension title in admin panel.
+  - [ZAuth] Generic response message in lost password functionality to avoid account enumeration.
 
 - Features:
   - _there should be none_
diff --git a/src/system/ZAuthModule/Controller/AccountController.php b/src/system/ZAuthModule/Controller/AccountController.php
index 6d084a7d73..3dd8627dff 100644
--- a/src/system/ZAuthModule/Controller/AccountController.php
+++ b/src/system/ZAuthModule/Controller/AccountController.php
@@ -235,7 +235,7 @@ public function lostPasswordResetAction(
         /** @var UserEntity $user */
         $user = $userRepository->find($requestDetails['userId']);
         if (null === $user) {
-            $this->addFlash('error', 'User not found. Please contact a site administrator for assistance.');
+            $this->addFlash('error', 'If an account exists with that email or username, a password reset will be sent to it.');
 
             return $this->redirectToRoute($redirectToRoute);
         }