ibrahim kimbugwe created FINERACT-1698:
------------------------------------------
Summary: Prompt user to confirm Password before changing password
Key: FINERACT-1698
URL: https://issues.apache.org/jira/browse/FINERACT-1698
Project: Apache Fineract
Issue Type: Improvement
Components: Security
Affects Versions: 1.7.0
Reporter: ibrahim kimbugwe
Fix For: 1.8.0
Attachments: image-2022-08-21-12-48-27-080.png
Upon updating the password inside the user profile, a user needs to be prompted
his/her current password.
Let's take a scenario of a user finishing work in the evening and forgets to
logout of the system, the current session is 5 minutes whereby if someone gets
onto the user's computer while logged in, he/she can change the password since
the system allows to change a password without need to confirm the old password.
!image-2022-08-21-12-48-27-080.png|width=554,height=280!
This is a big security issue since the user's changed credentials can be used
even off the current PC to maliciously cause harm.
[~edcable] [~aleks], [~francisguchie] [~rrpawar] & [~eroemma] what is your
opinion on this and can it receive attention please?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
