View Issue Details

This bug affects 1 person(s).
 260
IDProjectCategoryView StatusLast Update
14771Bug reportsSecuritypublic2021-07-12 11:53
Reporterbewi Assigned Topstelling  
PrioritylowSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Summary14771: protect change of email address
Description

If a logged-in user wants to change his password, he must re-enter his current password in addition to the new password. This measure is welcomed because it prevents permanent access to an account by changing the password, even if an account is temporarily accessed, for example by exploiting a cross-site scripting vulnerability.
However, it is possible to change the email address of an account without re-entering the credentials. This would allow an attacker to change an account's email address and then request a new password from support.
It is recommended that you also request the current password if you change your email address.

TagsNo tags attached.
Bug heat260
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database type & version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Users monitoring this issue

DenisChenu

Activities

DenisChenu

DenisChenu

2019-04-12 11:16

developer   ~51450

+1 maybe for next release in my opinion : complete rework of account management

cdorin

cdorin

2019-04-16 18:51

reporter   ~51496

Last edited: 2021-02-08 10:21

+1

pstelling

pstelling

2021-05-06 15:22

developer   ~64272

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31675

c_schmitz

c_schmitz

2021-07-12 11:53

administrator   ~65276

Release done.

Related Changesets

LimeSurvey: master 3171d76e

2021-05-04 09:58:21

pstelling


Committer: ollehar Details Diff
Fixed issue 14771: users email address could only be changed if he also enters current password Affected Issues
14771
mod - application/controllers/admin/useraction.php Diff File
mod - application/views/admin/user/personalsettings.php Diff File

Issue History

Date Modified Username Field Change
2019-04-12 11:12 bewi New Issue
2019-04-12 11:16 DenisChenu Note Added: 51450
2019-04-12 11:16 DenisChenu Issue Monitored: DenisChenu
2019-04-16 18:51 cdorin Note Added: 51496
2019-04-18 13:46 cdorin Note Edited: 51496
2019-11-26 17:48 cdorin Assigned To => cdorin
2019-11-26 17:48 cdorin Status new => assigned
2021-02-08 10:21 cdorin Assigned To cdorin =>
2021-02-08 10:21 cdorin Priority none => low
2021-02-08 10:21 cdorin Status assigned => confirmed
2021-02-08 10:21 cdorin Sync to Zoho Project => |Yes|
2021-05-06 15:22 ollehar Changeset attached => LimeSurvey master 3171d76e
2021-05-06 15:22 pstelling Note Added: 64272
2021-05-06 15:22 pstelling Assigned To => pstelling
2021-05-06 15:22 pstelling Resolution open => fixed
2021-05-10 09:28 c_schmitz Status confirmed => resolved
2021-07-12 11:53 c_schmitz Note Added: 65276
2021-07-12 11:53 c_schmitz Status resolved => closed
2021-08-03 13:22 guest Bug heat 258 => 260