Details
-
Bug
-
Status: Closed
-
Could
-
Resolution: Fixed
-
None
Description
Credit: Timothy D. Morgan
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=
(to be entered)
In: https://192.168.2.164/openmrs/forgotPassword.form
Submitting invalid username returns "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password." while a valid username (but no secret question) yields "Invalid user or the secret question has not been set. Please contact an administrator for help resetting your password."
Further, submitting a valid username shows the secret question itself.