Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled

Last modified 06 Jun 2023 10:42 +02:00

Date: 5 June 2023

Severity: High (CVSS 8.0)

Affected versions: 4.7

Fixed in versions: 4.7.1


Attacker is able to change user password using password reset form, if focusIdentification is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps.

Severity and Impact

This is high-severity issue.

The affected feature is not enabled by default. The attacker can change password of existing user if focusIdentification authorization module was enabled (it is disabled by default).


  • Disabling focusIdentification for password reset functionality, or:

  • Upgrading to latest maintenance release 4.7.1