[RSS Feed/News] Password reset allowed using email of banned user

Status
Not open for further replies.

XenForo

Administrative
  • Thread starter
  • Admin
  • #1
Steps to reproduce:
  1. Create 2 accounts
  2. Ban account1
  3. Logout or open an incognito window and go to /lost-password/
  4. Enter the email address of account1
  5. Login as account2
  6. Visit the password reset link, that you got for account1
  7. Change the password
Result: In the change log for account1 (the banned one) you will see account2 (the one you changed the password with).

Suggested fix: Don't send...

Read more

ادامه مطلب...
 
Status
Not open for further replies.
Back
Top Bottom