CRM Portals: Validate Email Exists during "Forgot Password"
CRM portals offer an Out of the Box "Forgot Password" feature, but what if I told you there's a hidden vulnerability? Problem: CRM Portal requests the user to provide an email address in order to send a password reset link. However, it doesn't perform a thorough check to verify if the email entered truly exists within Dataverse or not but sends this message that email has been send to reset the password. Solution: Create a Content Snippet Name - Account/ForgotPassword/PageCopy Website - <your website name> Display Name - Forgot Password Type - HTML Content Snippet Language - English Now, hide out of the box button and create your own button inside the script tag. // Hide and modify the button $('#submit-forgot-password').hide(); $('#submit-forgot-password').after('<input class="btn btn-primary" type="button" value="Send" ...