Peter Chen created FINERACT-2133:
------------------------------------
Summary: Unverified Password Change
Key: FINERACT-2133
URL: https://issues.apache.org/jira/browse/FINERACT-2133
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h2. Description
When setting a new password for a user, the application does not require
knowledge of the original password, or using another form of authentication.
h2. Reproduction Steps
1- Login at https://openmf.github.io/web-app/ or https://demo.mifos.io
2- Visit the {{Profile}} section located at the top right button
3- Click on {{Change Password}} and notice that no password confirmation is
necessary with the {{Change Password}} functionality
4- The password has been changed successfully.
h2. Impact Details
Unverified Password Change vulnerability can be exploited by an attacker to
change passwords for another user, thus gaining the privileges associated with
that user.
h2. Remediation Advice
Make sure to implement proper re-authentication mechanism on sensitive
operations like Change Password, Change Email Address/ Username.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
