Published: Jan 19, 2011
Version: 1.1 (edited 27 June 2011)
Maximum Severity Rating: Low
DotNetNuke supports the ability for the user to get a copy of their password emailed out if they have forgotten it.
The messages returned from the forgot password utility were too detailed, and could be used to identify the existance of user accounts.
This only affects sites where the forgot password utility is used. If the authentication provider does not support this, or has enablePasswordRetrieval set to false in web.config, no action is required.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Click here to read more details on the DotNetnuke Security Policy