Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-91

Old password not required to change email. Old password should be mandatory.

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed

      Description

      Praetorian discovered this vulnerability while examining the application’s user account management features. This feature does not require a user's current password to update their email address. This is shown in the figure below.

      Ideally on Partner/Broker or company admin page, we should not able to update any field without asking old password. This password should not be sent to client side for verification.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kunal.kedari Kunal Kedari (Inactive)
              Reporter:
              vijayendra Vijayendra Shinde (Inactive)
              Developer:
              Niteen Surwase (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: