This was originally reported to the security team who decided it could be public
There is a vulnerability in Drupal's user password reset function.
The Drupal version I checked is 10.2.3.
The frontend theme is Olivero 10.2.3.
You can see this vulnerability by:
1. Access the page below and receive a password reset URL email.
https://example.com/user/password
2. Get it without clicking the URL below in the email.
https://example.com/user/reset/<my-uid>/1708915080/LuZCUc1oOXJA86OUkCg7j6HDzulz4SbvRHeI-uNl6BE
3. When you access the URL obtained in step 2, you will be redirected to the following, but using a tool such as Burp,
Modify the redirect URL before redirecting.
From:https://example.com/user/reset/<my-uid>
To:https://example.com/user/reset/<modify-uid>
4. The following message is displayed on the redirect URL (https://example.com/user/reset/<modify-uid>).
You will be able to view other people's %user_name.
*This is registered as a translated message at (/admin/config/regional/translate).
This is a one-time login for %user_name and will expire on %expiration_date.
Click on this button to log in to the site and change your password.
Active
11.0 🔥
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
larowlan → credited shuuhei1.yamamoto@scsk.jp → .
This seems similar to issues solved by this contrib module: https://www.drupal.org/project/username_enumeration_prevention →
I would like to see a core solution for this since a lot of external auditors flag it and I think it gets reported back.