alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	89	Closed	~~Vulnerability Report: Missing Rate Limiting on Password~~ ...	Zain721	Task Description Hello Alwaysdata Security Team, I hope this message finds you well. I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page". === Vulnerability Details:=== The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link) Impact: Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information. Recommendation: To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security. Thank you for reviewing this report. Please feel free to reach out if you need additional information. kindly co-ordinate with me on this email, zainulabideen78626@gmail.com Best Regards, Zain-Ul-Abideen

Closed

~~Vulnerability Report: Missing Rate Limiting on Password~~ ...

Task Description

Hello Alwaysdata Security Team,

I hope this message finds you well.

I am reaching out as part of your Vulnerability Disclosure Program to report a potential security issue I found, titled "Lack of Rate Limiting on Password Reset Page".
===
Vulnerability Details:===

The password reset page (https://admin.alwaysdata.com/password/lost/) currently does not have rate limiting enabled, which allows repeated attempts without any restrictions.i send the request to Intruder and set my email and set payload around 80 times and the server give me the 80 linkes on my eamil (forgot password emial link)

Impact:

Without rate limiting, the password reset functionality is vulnerable to brute-force attacks. Attackers could repeatedly attempt to exploit this page, potentially compromising user accounts and exposing sensitive information.

Recommendation:

To mitigate this issue, I recommend implementing a rate limit on the password reset endpoint to restrict the number of requests allowed within a specific timeframe. Adding additional security layers, like CAPTCHA, after several failed attempts would further strengthen account security.

Thank you for reviewing this report. Please feel free to reach out if you need additional information.

kindly co-ordinate with me on this email,
zainulabideen78626@gmail.com

Best Regards,
Zain-Ul-Abideen

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task