The /login endpoint could be used to produce a UI sign-in webpage with custom error messages. To do this you should simply add the loginErrorMessage variable in your GET request:
/login
loginErrorMessage
&loginErrorMessage=Account%20Blocked%0APlease%20send%20your%20Email%20and%20Password%20to%20xyz@abc.com%20to%20unblock%20your%20account.
(Note that this variable is not even reported in your official documentation )
Thisbehaviour could be exploited by an attacker to create URLs for phishing purposes.
Is there a way to set a static message? Or to disable the login error message?
You are not logged in. Log in to post an answer.
A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.