Praetorian discovered this vulnerability while examining the application’s user account management features. This feature does not require a user's current password to update their email address. This is shown in the figure below.
Ideally on Partner/Broker or company admin page, we should not able to update any field without asking old password. This password should not be sent to client side for verification.
- relates to
-
WT-1981 Localization for password authentication
-
- Closed
-
Also check for Localization by login in 3 different languages
Assigning to Zeeshan
Verified as Old Password is required to change mail id
Zeeshan Chishty (Inactive)
added a comment - Verified as Old Password is required to change mail id Verified on stage as Password is required to change mail id
Zeeshan Chishty (Inactive)
added a comment - Verified on stage as Password is required to change mail id Please let us know for any functionality testing is needed other that Security testing on this.
Zeeshan Chishty Once you verify this from security perspective, assign to Deepali Tidke for functional verification.
Rakesh Roy we do not have production login and Production security testing is not recommended
Zeeshan Chishty (Inactive)
added a comment - Rakesh Roy we do not have production login and Production security testing is not recommended Old Password required for changing email confirmed on Production Server.
Zeeshan Chishty (Inactive)
added a comment - Old Password required for changing email confirmed on Production Server. Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket.
Kunal Kedari (Inactive)
added a comment - Functional testing is done for this feature on Production now old password is required while changing email, this change is working as expected for different locale as well. As per comments Zeeshan Chishty verified it from security perspective, hence closing the ticket. 
*Page : *
Partner/Broker Users and Admin Users (Try with all level user login)
Description :
When Partner/Broker/Company Admin make changes in self or another Partner/Broker/Company Admin then pop-up displays. This pop-up asks for logged-in password. When user enters correct password then its make changes in user, otherwise, it shows wrong password message. For Super Admin login it is not showing Old password popup. It directly updates data.
Try with all user logins for Partner/Broker/Company Admin screens
For users scenario follow the attached excel-sheet!