CRM Portals: Validate Email Exists during "Forgot Password"
CRM portals offer an Out of the Box "Forgot Password" feature, but what if I told you there's a hidden vulnerability?
Problem:
CRM Portal requests the user to provide an email address in order to send a password reset link. However, it doesn't perform a thorough check to verify if the email entered truly exists within Dataverse or not but sends this message that email has been send to reset the password.
Create a Content Snippet
Name - Account/ForgotPassword/PageCopy
Website - <your website name>
Display Name - Forgot Password
Type - HTML
Content Snippet Language - English
Now, hide out of the box button and create your own button inside the script tag.
// Hide and modify the button
$('#submit-forgot-password').hide();
$('#submit-forgot-password').after('<input class="btn btn-primary" type="button" value="Send" id="checkemailId">');
var inputEmailAddres = $("#Email").val();
var url = "/_api/contacts?$select=emailaddress1&$filter=emailaddress1%20eq%20%27" + inputEmailAddres + "%27%20or%20emailaddress2%20eq%20%27" + inputEmailAddres + "%27";
$.ajax({
type: "GET",
url: url,
dataType: 'json'
}).done(function (json) {
var contactsColl = json.value;
if (contactsColl.length == 1) {
$('#checkemailId').val('Sending...');
$('#submit-forgot-password').click(); // Trigger the click event
} else {
alert("EmailID does not exist in the dataverse");
}
});
This will validate if the email exists in the dataverse, it sends the email to reset password and if not, it alerts the message that "EmailID does not exist in the dataverse".
Comments
Post a Comment