Description

The system allows a user to change their password without requesting the previous one or enforcing another identity verification mechanism.

Impact

Gain total control over a user account.

Recommendation

- Guarantee that the current password is needed when a password change is requested by users. - Use a second authentication mechanism to ensure the password change is performed by the account owner.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

Fixes