View Issue Details

IDProjectCategoryView StatusLast Update
14771Bug reportsSecuritypublic2021-05-10 09:28
Reporterbewi Assigned Topstelling  
PrioritylowSeverityminor 
Status resolvedResolutionfixed 
Product Version3.17.x 
Summary14771: protect change of email address
DescriptionIf a logged-in user wants to change his password, he must re-enter his current password in addition to the new password. This measure is welcomed because it prevents permanent access to an account by changing the password, even if an account is temporarily accessed, for example by exploiting a cross-site scripting vulnerability.
However, it is possible to change the email address of an account without re-entering the credentials. This would allow an attacker to change an account's email address and then request a new password from support.
It is recommended that you also request the current password if you change your email address.
TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Activities

DenisChenu

DenisChenu

2019-04-12 11:16

developer   ~51450

+1 maybe for next release in my opinion : complete rework of account management
cdorin

cdorin

2019-04-16 18:51

manager   ~51496

Last edited: 2021-02-08 10:21

View 2 revisions

+1

pstelling

pstelling

2021-05-06 15:22

developer   ~64272

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31675

Related Changesets

LimeSurvey: master 3171d76e

2021-05-04 09:58:21

pstelling


Committer: ollehar Details Diff
Fixed issue 14771: users email address could only be changed if he also enters current password Affected Issues
14771
mod - application/controllers/admin/useraction.php Diff File
mod - application/views/admin/user/personalsettings.php Diff File

Issue History

Date Modified Username Field Change
2019-04-12 11:12 bewi New Issue
2019-04-12 11:16 DenisChenu Note Added: 51450
2019-04-16 18:51 cdorin Note Added: 51496
2019-04-18 13:46 cdorin Note Edited: 51496 View Revisions
2019-11-26 17:48 cdorin Assigned To => cdorin
2019-11-26 17:48 cdorin Status new => assigned
2021-02-08 10:21 cdorin Assigned To cdorin =>
2021-02-08 10:21 cdorin Priority none => low
2021-02-08 10:21 cdorin Status assigned => confirmed
2021-05-06 15:22 ollehar Changeset attached => LimeSurvey master 3171d76e
2021-05-06 15:22 pstelling Note Added: 64272
2021-05-06 15:22 pstelling Assigned To => pstelling
2021-05-06 15:22 pstelling Resolution open => fixed
2021-05-10 09:28 c_schmitz Status confirmed => resolved