Password should be required for user to change their account information

[brentgriffin]

Users are able to change account information including email and password without requiring their current password. So, if a user leaves dotCMS open or their session gets hijacked, their password and other account information can be changed without requiring the password to be reentered.

Expected Behavior

Any change on user account screen should require current password to be entered before the changes are persisted.

Steps to Reproduce (for bugs)

1. Login to the dotCMS backend.
2. Click your user name on the top right corner of the screen and select My Account from the menu.
3. Enter the new password into the Password field.
4. Re-enter the password into the Password Again field, making sure the password matches exactly.
5. Press the Save button.
   Notice that everything is saved without requiring current password to be entered.

Context

Reported by client as a security vulnerability - https://my.dotcms.com/tickets/detail.dot?id=3b9e2a2d-3135-4a1c-b72f-d0a4d6332b94

Your Environment

• dotCMS version used: 3.6 and eariler

[stale]

This issue has been automatically marked as stale because it has not had activity within the past 90 days. It will be closed in 30 days no further activity occurs. Thank you.