BUG #4195
openDescription
Issue Description
On the Admin Profile → Reset Password page, when an email address associated with an agency account is entered, the system returns the error message “You do not have access to the administration panel.”
This message may allow account type enumeration by revealing internal access control information, which is not desirable from a security perspective.
Module / Page
Admin Profile → Reset Password
Module Section
Password Reset / Error Messaging
Screen Size
Desktop
Tested By
Tasfia Zaima
Steps to Reproduce¶
- Navigate to the Reset Password page of admin.
- Enter an email address associated with an agency account.
- Click the Submit / Reset Password button.
- Observe the error message displayed: “You do not have access to the administration panel.”
Expected Result
The Reset Password flow should return a generic message (e.g., “If an account exists, password reset instructions will be sent”) without revealing account type or access level.
Actual Result
The system displays the message “You do not have access to the administration panel.”, exposing internal access control details.
Attachments
PoC
Types of Issue
Functional Issue
Root Cause:
Impacted Area:
Updated by Nazmul Hossain Shovon 2 months ago
- Assignee changed from Ayat Rahman to Nazmul Hossain Shovon
Updated by Nazmul Hossain Shovon about 2 months ago
- Status changed from Pending to In Progress
- Assignee changed from Nazmul Hossain Shovon to Tasfia Zaima
- % Done changed from 0 to 100
the message seems to be accurate as this is the admin panel.
Updated by Aman Bhuiyan 29 days ago
- Status changed from In Progress to Pending
- Assignee changed from Tasfia Zaima to Ayat Rahman
It also exposes privileged role information — specifically, that only admin users can sign in through the admin panel — which may aid attackers in enumerating account types and bypassing access controls.
Updated by Ayat Rahman 28 days ago
- Assignee changed from Ayat Rahman to Tasfia Zaima