Uploaded image for project: 'ZZZ: PUBLIC - Old Liferay Portal (Use Liferay Portal Standard Edition)'
  1. ZZZ: PUBLIC - Old Liferay Portal (Use Liferay Portal Standard Edition)
  2. LEP-1432

"Forgot Password" allows to change another user's password

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Completed
    • Affects Version/s: 4.1.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      The "Forgot Password" functionality generates a new password and sends it to the user by email. This can be misused to change the password of another user whose email address is known or guessed.
      That is an annoyence in the best case where the user affected really gets and reads the new password email. If the user ignores this mail or it is sorted out by a spam filter the user is not able to log in again.

      A better behaviour would be to send the current password without changing it, maybe forcing the user to change it herself on the next login.

        Attachments

          Activity

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package