christtyk
commented
4 years ago Industry standard is to have 3 fields, is this possible?
Open christtyk opened 4 years ago
christtyk
commented
4 years ago Industry standard is to have 3 fields, is this possible?
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, please add comments to this ticket if you would like it to stay open. Thank you for your contributions.
christtyk
commented
4 years ago bump
Branch/Environment/Version 2.9
The Portal application allowed an account's password to be changed whilst authenticated without verifying the authenticity of the user by requiring the existing password to be entered. If the account was temporarily compromised, e.g. via XSS (see finding 22946-2-01 Persistent Cross-Site Scripting) or CSRF (see finding 22946-2-04 Inefficient Cross-Site Request Forgery Protection), an attacker would be able to change the password on the account without requiring any knowledge of the existing password. As a result, the attacker could lock out the legitimate user and effectively seize control of the victims account.
This is purely for an elective password change, unrelated to the password reset procedure. The ability of admins to change the password is unrelated to the issue.
Need to keep aware as will come up with client. (Not top priority)