Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
security issue with password request email
I have a question on the "Forgot your password?" request, on our forum. When a username is typed into the request, the response displays the user's email address. As in; "A message has been sent to actual email address containing password reset instructions."
This is obviously a security issue, since anyone can view others' email addresses this way. How can I change this? Thanks.
This discussion has been closed.