Robin Shen
opened 2 years ago
-
Name Previous Value Current Value Type
Bug
Security Vulnerability
-
Name Previous Value Current Value Priority
Major
Normal
-
Name Previous Value Current Value Priority
Normal
Major
-
Previous Value Current Value Password reset can be used to block account from signing in by malicious users
Password reset can be used to block account by malicious users
-
Previous Value Current Value Password reset can be used to block account by malicious users
Password reset can be abused to block accounts
-
OneDev
changed state to 'Closed' 2 years ago
Previous Value Current Value Open
Closed
-
State changed as code fixing the issue is committed (d1de32b6)
-
OneDev
changed state to 'Released' 2 years ago
Previous Value Current Value Closed
Released
-
State changed as build #4241 is successful
| Type |
Security Vulnerability
|
| Priority |
Major
|
| Assignee | |
| Labels |
No labels
|
Issue Votes (0)
Watchers (2)
From user:
Looks like the reset password feature of OneDev can be abused to lock users out of their accounts. It resets the user's password immediately, instead of creating a temporary access token that can only be used to reset the password, keeping the existing password valid until this is done.
What if I temporarily don't have access to my email account, if the email address in my profile is no longer valid, if some aggressive spam filter is blocking the reset email, and so on? Somebody can lock me out and require admin or shell access to fix that.