View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|18529||Feature requests||Security||public||2022-11-30 11:15||2022-12-05 11:48|
|Summary||18529: Security Problem: Unlimited Password reset function in LimeSurvey 3.28|
We made a Penetration-Test with our own LimeSurvey V3.28.32 Server.
The result was, that attackers having the necessary information to use the password reset function to trigger the sending of an email can repeat the required request as often as they wish and thus trigger the sending of an email to the target address again each time. This can on the one hand flood the target mailbox with emails and on the other hand create a load on the sending mail server, which slows it down or even overloads it.
To fix this, the number of emails sent should be limited. In addition, the sending of further password reset emails should be prevented as long as the affected user has not yet completed a previous reset process. or this is only a short time ago.