[plagiarist]

I decided it was a bad thing when they sent password reset emails to addresses given by unauthenticated users. Not that I ever used them. But now it is a hard no, permanently.

They have since had other also severe CVEs. That has made me feel pretty confident in my decision.

[reshlo]

If password reset emails shouldn’t be sent to unauthenticated users, how would users reset their passwords?

[dijit]

there was a pretty bad bug (though I think it was a rails footgun)- that allowed you to append an arbitrary email to the reset request.

The only difficult part for the attacker was finding an email address that was used by the target; though thats hsually the same as you use for git commits; and gitlab “handily” has an email address assigned to each user-id incrementing from 1;

Usually low numbers are admins, so, a pretty big attack vector when combined.