Posts

Showing posts from August, 2023

CRM Portals: Validate Email Exists during "Forgot Password"

Image
CRM portals offer an Out of the Box "Forgot Password" feature, but what if I told you there's a hidden vulnerability? Problem: CRM Portal requests the user to provide an email address in order to send a password reset link. However, it doesn't perform a thorough check to verify if the email entered truly exists within Dataverse or not but sends this message that email has been send to reset the password. Solution: Create a Content Snippet  Name - Account/ForgotPassword/PageCopy Website - <your website name> Display Name - Forgot Password Type - HTML Content Snippet Language - English Now, hide out of the box button and create your own button inside the script tag.           // Hide and modify the button         $('#submit-forgot-password').hide();         $('#submit-forgot-password').after('<input class="btn btn-primary" type="button" value="Send"              ...