email rate limit for Umbraco password reset #14843
shearer3000
started this conversation in
Features and ideas
Replies: 2 comments 1 reply
-
Hi @shearer3000. Rate limiting is something we are looking into as a more general thing |
Beta Was this translation helpful? Give feedback.
0 replies
-
thanks for that heads up @bergmania. any insight on what the more general approach might entail or is that still being decided? thanks |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
A security penetration test of a client website has reported that there is no rate limit set on the Umbraco backoffice password reset (lost password recovery) i.e. the number of email messages a malicious user could generate. This could have potential implications such as negative user experience, system performance degradation, and even resulting in the email sending service being put on deny/block lists.
Has this been raised before (maybe in prior Umbraco penetration testing)?
A possible solution could be a new setting under https://docs.umbraco.com/umbraco-cms/reference/configuration/securitysettings to specify the number/threshold/attempts allowed within a certain timeframe?
Beta Was this translation helpful? Give feedback.
All reactions