Project

General

Profile

Actions

Bug #13768

open

UpdatePasswordWidget bypasses MFA

Added by Raf Pauwels about 1 month ago. Updated 3 days ago.

Status:
InProgress
Priority:
Normal
Assignee:
Target version:
Start date:
06/05/2025
Due date:
% Done:

0%

Estimated time:

Description

The default implementation of UpdatePasswordWidget strongly authenticates a user as soon as their password is successfully changed. Not only is this discouraged by OWASP, but it bypasses second factor authentication altogether if this is in place.

The default lost password implementation reduces authentication to a single factor (email), even with MFA enabled. We can close this loophole by still requiring the normal login procedure after resetting the password.

Actions #1

Updated by Raf Pauwels about 1 month ago

  • Status changed from New to InProgress
Actions #2

Updated by Raf Pauwels about 1 month ago

  • Status changed from InProgress to Review
  • Assignee deleted (Raf Pauwels)
Actions #3

Updated by Raf Pauwels 30 days ago

  • Status changed from Review to InProgress
  • Assignee set to Raf Pauwels

This should include a redirect to login with a notification asking the user to relogin.

Actions #4

Updated by Matthias Van Ceulebroeck 3 days ago

  • Target version changed from 4.12.0 to 4.12.1
Actions

Also available in: Atom PDF