View Issue Details

IDProjectCategoryView StatusLast Update
14771Bug reportsSecuritypublic2019-11-26 17:48
Reporterbewi Assigned Tocdorin  
Status assignedResolutionopen 
Product Version3.17.x 
Summary14771: protect change of email address

If a logged-in user wants to change his password, he must re-enter his current password in addition to the new password. This measure is welcomed because it prevents permanent access to an account by changing the password, even if an account is temporarily accessed, for example by exploiting a cross-site scripting vulnerability.
However, it is possible to change the email address of an account without re-entering the credentials. This would allow an attacker to change an account's email address and then request a new password from support.
It is recommended that you also request the current password if you change your email address.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*




2019-04-12 11:16

developer   ~51450

+1 maybe for next release in my opinion : complete rework of account management



2019-04-16 18:51

manager   ~51496

Last edited: 2019-04-18 13:46

View 2 revisions


Issue History

Date Modified Username Field Change
2019-04-12 11:12 bewi New Issue
2019-04-12 11:16 DenisChenu Note Added: 51450
2019-04-16 18:51 cdorin Note Added: 51496
2019-04-18 13:46 cdorin Note Edited: 51496 View Revisions
2019-11-26 17:48 cdorin Assigned To => cdorin
2019-11-26 17:48 cdorin Status new => assigned