Description
Branch/Environment/Version
2.9
The Portal application allowed an account's password to be changed whilst authenticated without verifying the authenticity of the user by requiring the existing password to be entered. If the account was temporarily compromised, e.g. via XSS (see finding 22946-2-01 Persistent Cross-Site Scripting) or CSRF (see finding 22946-2-04 Inefficient Cross-Site Request Forgery Protection), an attacker would be able to change the password on the account without requiring any knowledge of the existing password. As a result, the attacker could lock out the legitimate user and effectively seize control of the victims account.
This is purely for an elective password change, unrelated to the password reset procedure. The ability of admins to change the password is unrelated to the issue.
Need to keep aware as will come up with client. (Not top priority)
Activity