View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
19237Bug reportsSecuritypublic2023-11-14 15:252023-11-15 16:32
Reportertibor.pacalat Assigned Totibor.pacalat  
PrioritynoneSeverityminor 
Status feedbackResolutionopen 
Product Version6.3.x 
Summary19237: User should not be able to change their email to an existing one
Description

User should not be able to change their email to an existing one because this can lead to impersonation attempts.

Steps To Reproduce

Steps to reproduce

  1. create an admin user "user1" and give him "User group" permissions
  2. as user1 create a group "group1" with all users
  3. user1 changes their full name and email address to match the "superadmin" one (this should not be possible to happen)
  4. user1 sends email to all users in group1 with malicious link in the email like "You need to change your password! http://hack.me/please

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)6.3.4
I will donate to the project if issue is resolvedNo
Browser
Database type & version.
Server OS (if known)
Webserver software & version (if known)
PHP Version.

Relationships

Relationship GraphDependency Graph
related to 18257 feedback Multiple users with same email address 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2023-11-14 17:02

developer   ~78461

Same in token :

Capture d’écran du 2023-11-14 17-01-44.png (27,956 bytes)   
Capture d’écran du 2023-11-14 17-01-44.png (27,956 bytes)   
DenisChenu

DenisChenu

2023-11-14 17:04

developer   ~78463

«Please reset your limesurvey GMBH password »
DenisChenu

DenisChenu

2023-11-14 17:06

developer   ~78464

If we need to disable for Group send : we need to disable everywhere …
Particullary in

  • Token sending
  • Admin email on survey settings …
tibor.pacalat

tibor.pacalat

2023-11-14 17:09

administrator   ~78465

I totally agree! Thank you for pointing this out.

Issue History

Date Modified Username Field Change
2023-11-14 15:25 tibor.pacalat New Issue
2023-11-14 15:27 tibor.pacalat Steps to Reproduce Updated
2023-11-14 17:02 DenisChenu Note Added: 78461
2023-11-14 17:02 DenisChenu File Added: Capture d’écran du 2023-11-14 17-01-44.png
2023-11-14 17:02 DenisChenu Bug heat 250 => 252
2023-11-14 17:04 DenisChenu Note Added: 78463
2023-11-14 17:06 DenisChenu Assigned To => tibor.pacalat
2023-11-14 17:06 DenisChenu Status new => feedback
2023-11-14 17:06 DenisChenu Note Added: 78464
2023-11-14 17:09 tibor.pacalat Note Added: 78465
2023-11-14 17:09 tibor.pacalat Bug heat 252 => 254
2023-11-15 16:32 DenisChenu Relationship added related to 18257