http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12371
dmin <dmin...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |P1 - high CC| |dmin...@gmail.com Version|3.14 |3.16 Severity|enhancement |critical --- Comment #2 from dmin <dmin...@gmail.com> --- When two (or mote) patrons are unverified, this issue causes all of the patrons to receive a verification email with the same token. If this link is used by the patron who is not associated with the token in the borrower_modifications table, the user name and password for the borrower who is associated with that token are displayed, providing access to the account and personal details of another patron. This represents a critical privacy issue with self-registrations. This issue is known to affect 3.16.X (did not use self-registration in 3.14.X. Additonally, our borrower_modifications table always shows borrower # as 0, since borrower number is not generated until the patron is added to the borrowers table in opac-registration-verify.pl using AddMember_OPAC. It appears the issue is stemming from the section of opac-memberentry.pl where the verification email is generated (as all tokens in the borrower_modifications table are unique) and only the token in the email is incorrect. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/