You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users are able to change account information including email and password without requiring their current password. So, if a user leaves dotCMS open or their session gets hijacked, their password and other account information can be changed without requiring the password to be reentered.
Expected Behavior
Any change on user account screen should require current password to be entered before the changes are persisted.
Steps to Reproduce (for bugs)
Login to the dotCMS backend.
Click your user name on the top right corner of the screen and select My Account from the menu.
Enter the new password into the Password field.
Re-enter the password into the Password Again field, making sure the password matches exactly.
Press the Save button.
Notice that everything is saved without requiring current password to be entered.
This issue has been automatically marked as stale because it has not had activity within the past 90 days. It will be closed in 30 days no further activity occurs. Thank you.
Users are able to change account information including email and password without requiring their current password. So, if a user leaves dotCMS open or their session gets hijacked, their password and other account information can be changed without requiring the password to be reentered.
Expected Behavior
Any change on user account screen should require current password to be entered before the changes are persisted.
Steps to Reproduce (for bugs)
Notice that everything is saved without requiring current password to be entered.
Context
Reported by client as a security vulnerability - https://my.dotcms.com/tickets/detail.dot?id=3b9e2a2d-3135-4a1c-b72f-d0a4d6332b94
Your Environment
The text was updated successfully, but these errors were encountered: