Description
Upon updating the password inside the user profile, a user needs to be prompted his/her current password.
Let's take a scenario of a user finishing work in the evening and forgets to logout of the system, the current session is 5 minutes whereby if someone gets onto the user's computer while logged in, he/she can change the password since the system allows to change a password without need to confirm the old password.
This is a big security issue since the user's changed credentials can be used even off the current PC to maliciously cause harm.
edcable aleks, francisguchie rrpawar & eroemma what is your opinion on this and can it receive attention please?
Attachments
Attachments
Issue Links
- is a child of
-
FINERACT-1874 Release Apache Fineract 1.9.0
- In Progress