Open pwannenmacher opened 1 year ago
verified
-flag on updating another users addressAfter several discussions following functionality should be implemented:
email
of the user until the new one is verified via the tokenmaxFailedLogins
from the configuration) to change the email to an already existing one, the login of the user will be blocked and all running sessions will be closed
Bug-Report
Via the profile I can enter any email address. This does not have to be confirmed by mail, but in the
createdBy
andupdatedBy
fields we only store mail addresses. So the following attack scenario is possible:test@test.com
As consequence it is not traceable who changed values since
test@test.com
is written tocreatedBy
andupdatedBy
.Steps to reproduce
see above
Expected behavior
Mail addresses should be verified before they are written to the user profile. Mail verification tokens should be time limited.
Additional information