Robin Shen opened 6 months ago
|
|||||||
Robin Shen changed fields 6 months ago
|
|||||||
Robin Shen changed fields 6 months ago
|
|||||||
Robin Shen changed fields 6 months ago
|
|||||||
Robin Shen changed title 6 months ago
|
|||||||
Robin Shen changed title 6 months ago
|
|||||||
OneDev changed state to 'Closed' 6 months ago
|
|||||||
State changed as code fixing the issue is committed (d1de32b6) |
|||||||
Referenced from commit 6 months ago
|
|||||||
OneDev changed state to 'Released' 6 months ago
|
|||||||
State changed as build #4241 is successful |
Type |
Security Vulnerability
|
Priority |
Major
|
Assignee | |
Labels |
No labels
|
Issue Votes (0)
From user:
Looks like the reset password feature of OneDev can be abused to lock users out of their accounts. It resets the user's password immediately, instead of creating a temporary access token that can only be used to reset the password, keeping the existing password valid until this is done.
What if I temporarily don't have access to my email account, if the email address in my profile is no longer valid, if some aggressive spam filter is blocking the reset email, and so on? Somebody can lock me out and require admin or shell access to fix that.