Skip to content

Please remove sensitive private info from lgnForgotPassSentTpl #141

Description

@donShakespeare

https://github.com/modxcms/Login/blob/master/core/components/login/elements/chunks/lgnforgotpasssenttpl.chunk.tpl

Something many users might not know is that when you allow the feature "Reset Password" you need to really really really customize this one uncommon tpl

[[!Login? &sentTpl=`lgnForgotPassSentTpl`]]
Otherwise, any lurker can get any user's email address if the lurker knows a username.
The lurker just has to attempt to reset password by given username.

The unusual default HTML of that tpl is something revealing like this...
<p>Your login information has been sent to the email address [[+email]].</p>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions