When an attacker tries to brute-force email accounts on the registration page, this vulnerability results in user enumeration. The attacker attempts to brute-force the user credentials on the login screen. When a user requests a password reset and there is no rate limitation on the function, an attacker can take advantage of this and do email flooding on the user’s email account.
This vulnerability allows for user enumeration, and attackers may utilize email and SMS services to launch flooding attacks.
To resolve this concern, developers should set a timeout after a certain number of requests in a given period of time, or use a CAPTCHA system on form pages.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.