Hi everyone,
I'm sure this has been spotted already but in 3.8.1 there appears to be a user enumeration fault in the password reset feature of the admin portal. I haven't seen the backend as I'm only pentesting a site for someone (quite possibly there exists an option to change or modify that feature - I dunno) but it seems odd that it would be there regardless.
Type any username and password, hit the reset feature, enter a valid username and it tells you the email has been sent. Enter an invalid username and it tells you the username is invalid.
I searched and couldn't find any info on it. I don't mind if it's not fixed. I just thought I'd sign up and tell someone about it.
Good day