[ https://issues.apache.org/jira/browse/FINERACT-1698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583060#comment-17583060 ]
Francis Guchie edited comment on FINERACT-1698 at 8/22/22 4:14 PM: ------------------------------------------------------------------- [~ikimbrah] this is a duplicate - kindly close one of them look at ISSUE 1697 was (Author: francisguchie): [~ikimbrah] this is a duplicate - kindly close one of them look at ISSUE 1697 > Prompt user to confirm Password before changing password > -------------------------------------------------------- > > Key: FINERACT-1698 > URL: https://issues.apache.org/jira/browse/FINERACT-1698 > Project: Apache Fineract > Issue Type: Improvement > Components: Security > Affects Versions: 1.7.0 > Reporter: ibrahim kimbugwe > Priority: Major > Fix For: 1.9.0 > > Attachments: image-2022-08-21-12-48-27-080.png > > > Upon updating the password inside the user profile, a user needs to be > prompted his/her current password. > Let's take a scenario of a user finishing work in the evening and forgets to > logout of the system, the current session is 5 minutes whereby if someone > gets onto the user's computer while logged in, he/she can change the password > since the system allows to change a password without need to confirm the old > password. > !image-2022-08-21-12-48-27-080.png|width=554,height=280! > This is a big security issue since the user's changed credentials can be used > even off the current PC to maliciously cause harm. > [~edcable] [~aleks], [~francisguchie] [~rrpawar] & [~eroemma] what is your > opinion on this and can it receive attention please? -- This message was sent by Atlassian Jira (v8.20.10#820010)