Description
- It was noted that the application password change functionality did not require the current password for the user to change their password
Current Password not Required When Changing Password
Steps to Reproduce:
- Login with user and click on profile icon
- Select "Change Credentials"
- The user would not be required to enter current password for updating their password
// HTTP POST Request - Changing Password
POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]
{"schema":"admin_save","data":{"name":"John Connor","login":"gz82g8WYq3","password":"Passw0rd!"}}
// HTTP Response - Changing Password
HTTP/1.1 200 OK
set-cookie: NPgdS=13030-39383d41540751460a15064b0f7449766a261756481745550d1f5f05414b061f5e6456343a630323750702160307415f584656405e390e3e38360e591d471c0619711511121d111f4f3a023530306156510b014f0d5045; Expires=Wed, 26 Nov 2025 16:25:39 GMT; Path=/; SameSite=Lax
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:25:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 16
{"success":true}
No comments:
Post a Comment