[
https://issues.apache.org/jira/browse/FINERACT-2133?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Wells updated FINERACT-2133:
----------------------------------
Description: [Redacted] (was: h2. Description
When setting a new password for a user, the application does not require
knowledge of the original password, or using another form of authentication.
h2. Reproduction Steps
1- Login at https://openmf.github.io/web-app/ or https://demo.mifos.io
2- Visit the {{Profile}} section located at the top right button
3- Click on {{Change Password}} and notice that no password confirmation is
necessary with the {{Change Password}} functionality
4- The password has been changed successfully.
h2. Impact Details
Unverified Password Change vulnerability can be exploited by an attacker to
change passwords for another user, thus gaining the privileges associated with
that user.
h2. Remediation Advice
Make sure to implement proper re-authentication mechanism on sensitive
operations like Change Password, Change Email Address/ Username.)
> Unverified Password Change
> --------------------------
>
> Key: FINERACT-2133
> URL: https://issues.apache.org/jira/browse/FINERACT-2133
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: client, security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
