Summary
We have rate limit of 100 req/10 min on profile edit page to avoid brute force of user password. It was possible to bypass this limit using IP rotator.
Impact
The attacker could brute force the user password if also have access to a compromised session. Note that this exploit does not have any impact on its own, the attacker needs to compromise the user session using an alternate method. The edit password page is only assible if the user is already loggin in.
Patches
Please check e9491b3 for details of the patch.
Summary
We have rate limit of 100 req/10 min on profile edit page to avoid brute force of user password. It was possible to bypass this limit using IP rotator.
Impact
The attacker could brute force the user password if also have access to a compromised session. Note that this exploit does not have any impact on its own, the attacker needs to compromise the user session using an alternate method. The edit password page is only assible if the user is already loggin in.
Patches
Please check e9491b3 for details of the patch.