CMS MADE SIMPLE FORGE

Frontend Users

 
Back Back to List

[#3989] Change settings doesn't require password

avatar
Created By: David Ursem (mcDavid)
Date Submitted: Fri Sep 04 04:35:20 -0400 2009

Assigned To:
Version: 1.6.9
CMSMS Version: None
Severity: Minor
Resolution: None
State: Open
Summary:
Change settings doesn't require password
Detailed Description:
This might not be a bug, but it ís a security issue. If any user forgets to log
out, and somebody else comes acros the chage settings page, he or she could
easily enter a new password and mail address, thereby completely hijacking the
account.

I think it's important to ask users to enter their password to change those
settings, even if they're logged in.


History

Updates

Updated: 2009-09-30 20:07
severity_id: 12 => 3

Updated: 2009-09-04 04:37
version_id: -1 => 28070
resolution_id: => 5