View Issue Details

IDProjectCategoryView StatusLast Update
14771Bug reports[All Projects] Securitypublic2019-04-18 13:46
ReporterbewiAssigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary14771: protect change of email address
Description

If a logged-in user wants to change his password, he must re-enter his current password in addition to the new password. This measure is welcomed because it prevents permanent access to an account by changing the password, even if an account is temporarily accessed, for example by exploiting a cross-site scripting vulnerability.
However, it is possible to change the email address of an account without re-entering the credentials. This would allow an attacker to change an account's email address and then request a new password from support.
It is recommended that you also request the current password if you change your email address.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Activities

DenisChenu

DenisChenu

2019-04-12 11:16

developer   ~51450

+1 maybe for next release in my opinion : complete rework of account management

cdorin

cdorin

2019-04-16 18:51

manager   ~51496

Last edited: 2019-04-18 13:46

View 2 revisions

+1

Issue History

Date Modified Username Field Change
2019-04-12 11:12 bewi New Issue
2019-04-12 11:16 DenisChenu Note Added: 51450
2019-04-16 18:51 cdorin Note Added: 51496
2019-04-18 13:46 cdorin Note Edited: 51496 View Revisions