Attacker is able to determine if the provided username exists (and it's valid) using Request New Password feature, based on the response time.
otrs otrs