You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With a known session id (from myself or sniffed), it is possible to change the password without any confirmation. In combination with Issue #26 it is possible to steal a complete user account without (direct) knowledge of the user (For example if the user left the session open on a public computer).
The following curl command outlines this:
curl --request POST \
--url http://127.0.0.1:8080/api/account/change_password \
--header 'content-type: application/json' \
--cookie JSESSIONID={{ YOUR SESSION ID }} \
--data '{{ NEW_PASSWORD }}'
The text was updated successfully, but these errors were encountered:
With a known session id (from myself or sniffed), it is possible to change the password without any confirmation. In combination with Issue #26 it is possible to steal a complete user account without (direct) knowledge of the user (For example if the user left the session open on a public computer).
The following curl command outlines this:
The text was updated successfully, but these errors were encountered: