http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12371
dmin <dmin...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 - low |P1 - high
CC| |dmin...@gmail.com
Version|3.14 |3.16
Severity|enhancement |critical
--- Comment #2 from dmin <dmin...@gmail.com> ---
When two (or mote) patrons are unverified, this issue causes all of the patrons
to receive a verification email with the same token.
If this link is used by the patron who is not associated with the token in the
borrower_modifications table, the user name and password for the borrower who
is associated with that token are displayed, providing access to the account
and personal details of another patron.
This represents a critical privacy issue with self-registrations.
This issue is known to affect 3.16.X (did not use self-registration in 3.14.X.
Additonally, our borrower_modifications table always shows borrower # as 0,
since borrower number is not generated until the patron is added to the
borrowers table in opac-registration-verify.pl using AddMember_OPAC.
It appears the issue is stemming from the section of opac-memberentry.pl where
the verification email is generated (as all tokens in the
borrower_modifications table are unique) and only the token in the email is
incorrect.
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
