Owasp.org: CVSS .9.4 / WSTG-DINT-04 against Identity Portal 14.4 SP2
It is recommended to design and configure the application so that it responds in an equivalent way regardless of whether the user identifier exists in the application or not, so that the responses are generic and do not offer information about the existence of users in the platform.It will also be necessary to implement session tokens that do not allow the use of the same request after a defined period of time and that prevent replay or brute force attacks by limiting the number of consecutive requests.It is recommended to encrypt the information sent to the backend in order to avoid its manipulation, additionally, it is recommended to validate the number of attempts from the backend or block the client IP, due to the number of failed login attempts.Implementing captcha can be a useful mitigation measure.
Release : 14.4
Our Engineering sent us the following explanation:
1. IP displays a generic message when an identity doesn't exist in the system. It's not possible for an unauthenticated and unauthorized user to enumerate the identities that exist in the system.
2. If an identity exists then post authentication, system allows the user to navigate with the further process.
3. Identity Portal offers ReCaptcha capability to circumvent the user enumeration (and there by DoS etc) issues reported here. ReCaptcha is available as part of IP v14.4.1. Hence, we recommend leveraging ReCaptcha capability.
We recommend implementing it if there are any problems or doubts to open a new case.