Actions
Bug #13768
closedUpdatePasswordWidget bypasses MFA
Start date:
06/05/2025
Due date:
% Done:
100%
Estimated time:
Description
The default implementation of UpdatePasswordWidget strongly authenticates a user as soon as their password is successfully changed. Not only is this discouraged by OWASP, but it bypasses second factor authentication altogether if this is in place.
The default lost password implementation reduces authentication to a single factor (email), even with MFA enabled. We can close this loophole by still requiring the normal login procedure after resetting the password.
Updated by Raf Pauwels 4 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Raf Pauwels)
Updated by Raf Pauwels 4 months ago
- Status changed from Review to InProgress
- Assignee set to Raf Pauwels
This should include a redirect to login with a notification asking the user to relogin.
Updated by Matthias Van Ceulebroeck 3 months ago
- Target version changed from 4.12.0 to 4.12.1
Updated by Raf Pauwels 2 months ago
- Status changed from InProgress to Implemented @Emweb
Updated by Matthias Van Ceulebroeck about 1 month ago
- Status changed from Implemented @Emweb to Implemented @Test
Updated by Matthias Van Ceulebroeck about 20 hours ago
- Status changed from Implemented @Test to Closed
Actions