ibrahim kimbugwe created FINERACT-1698: ------------------------------------------
Summary: Prompt user to confirm Password before changing password Key: FINERACT-1698 URL: https://issues.apache.org/jira/browse/FINERACT-1698 Project: Apache Fineract Issue Type: Improvement Components: Security Affects Versions: 1.7.0 Reporter: ibrahim kimbugwe Fix For: 1.8.0 Attachments: image-2022-08-21-12-48-27-080.png Upon updating the password inside the user profile, a user needs to be prompted his/her current password. Let's take a scenario of a user finishing work in the evening and forgets to logout of the system, the current session is 5 minutes whereby if someone gets onto the user's computer while logged in, he/she can change the password since the system allows to change a password without need to confirm the old password. !image-2022-08-21-12-48-27-080.png|width=554,height=280! This is a big security issue since the user's changed credentials can be used even off the current PC to maliciously cause harm. [~edcable] [~aleks], [~francisguchie] [~rrpawar] & [~eroemma] what is your opinion on this and can it receive attention please? -- This message was sent by Atlassian Jira (v8.20.10#820010)