[
https://issues.apache.org/jira/browse/FINERACT-1697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francis Guchie reassigned FINERACT-1697:
----------------------------------------
Assignee: Rahul Pawar
> Prompt user to confirm Password before changing password
> --------------------------------------------------------
>
> Key: FINERACT-1697
> URL: https://issues.apache.org/jira/browse/FINERACT-1697
> Project: Apache Fineract
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.7.0
> Reporter: ibrahim kimbugwe
> Assignee: Rahul Pawar
> Priority: Major
> Fix For: 1.9.0
>
> Attachments: image-2022-08-21-12-42-00-827.png
>
>
> Upon updating the password inside the user profile, a user needs to be
> prompted his/her current password.
> Let's take a scenario of a user finishing work in the evening and forgets to
> logout of the system, the current session is 5 minutes whereby if someone
> gets onto the user's computer while logged in, he/she can change the password
> since the system allows to change a password without need to confirm the old
> password.
> !image-2022-08-21-12-42-00-827.png|width=554,height=217!
> This is a big security issue since the user's changed credentials can be used
> even off the current PC to maliciously cause harm.
> [~edcable] [~aleks], [~francisguchie] [~rrpawar] & [~eroemma] what is your
> opinion on this and can it receive attention please?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
