๐ GitLab: Email notification about login email changed is not received when using verified linked email address
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary In https://gitlab.com/profile, user can update the email id to use for login to gitlab account using field "Email". Usually, when this login email id is updated, there will be 2 email sent on previous email Id with subjects as. Email 1 - Email Changed:- This tell that login email has been changed to new email. Email 2 - Confirmation instructions :- This has a confirmation link to confirm the email id. However, when we change this login email ID to one of the email ID which is already linked in our gitlab account under https://gitlab.com/profile/emails, then none of the above 2 emails are sent to previous email ID. I understand that as linked email ID are already verified, so no need to send the 2nd email i.e. Confirmation Instruction but the first email i.e. "Email Changed" should be sent to previous email ID stating that your login email has been changed to new one. Steps to reproduce User logs in to gitlab.com using his email ID ( ex. user-one@gmail.com) Now, on https://gitlab.com/profile, user updates the login email id ("Email" field having "We also use email for avatar detection if no avatar is uploaded" written below it) to another email id (ex. user-two@gmail.com) Now, an email will go to user-one@gmail.com informing that email change action is being done. This is as expected. (Email subject : "Email Changed") Now, broken scenarios is as follows : On https://gitlab.com/profile/emails, user adds new email address (ex. user-three@gmail.com).... ...