Project

General

Profile

Actions
Copy link

BUG #4195

open
« Previous | Next »

BUG #4242: [SQA] : Agency Authentication

BUG #4243: [SQA]: UI >> Agency Authentication

[SQA] Reset Password error message reveals account type on Admin Reset Password page

Added by Tasfia Zaima 2 months ago. Updated 14 days ago.

Status:
Complete
Priority:
High
Assignee:
Tasfia Zaima
Target version:
sprint 04
Start date:
02/03/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
1:00 h

Description

Issue Description
On the Admin Profile → Reset Password page, when an email address associated with an agency account is entered, the system returns the error message “You do not have access to the administration panel.”
This message may allow account type enumeration by revealing internal access control information, which is not desirable from a security perspective.

Module / Page
Admin Profile → Reset Password

Module Section
Password Reset / Error Messaging

Screen Size
Desktop

Tested By
Tasfia Zaima

Steps to Reproduce

  1. Navigate to the Reset Password page of admin.
  2. Enter an email address associated with an agency account.
  3. Click the Submit / Reset Password button.
  4. Observe the error message displayed: “You do not have access to the administration panel.”

Expected Result
The Reset Password flow should return a generic message (e.g., “If an account exists, password reset instructions will be sent”) without revealing account type or access level.

Actual Result
The system displays the message “You do not have access to the administration panel.”, exposing internal access control details.

Attachments
PoC

Types of Issue
Functional Issue

Root Cause:

Impacted Area:

Actions
Copy link

Also available in: Atom PDF