Summary: An attacker could discover the emails of accounts on ██████ through the reset field. Description: https://████/███/accounts/request_reactivation/ This password reset field has no rate limiting, it additionally allows an attacker to guess at user accounts such as admin and it will then expose the account user's email. For example, I used admin for my example and was given this email,████████. Normally password reset fields keep the account emails hidden to prevent any attempt to directly attack the user, for example phishing emails.
Activation Email Sent
We've sent an email to██████ containing a link that will reactivate your account.
If███████ is not your email address, please contact the GRiD team and we will be happy to assist you.
I would recommend changing the account reset field to log any attempts for password resets to check for any malicious or abusive attempts to harvest account names, set a limit for amount of requests for the field, and additionally make a general message such as "We have sent the reset request to the email you used on registration"