Identity and Access Management
Book
MidPoint
- Security
  - Security Advisories
Identity Connectors
Support
Trainings
Evolveum
Community
Library
Case Studies
Talks
Glossary
Frequently Asked Questions
About

Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled

Last modified 09 Feb 2024 14:12 +01:00

Date: 5 June 2023

Severity: High (CVSS 8.0)

Affected versions: 4.7

Fixed in versions: 4.7.1

Description

Attacker is able to change user password using password reset form, if focusIdentification is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps.

Severity and Impact

This is high-severity issue.

The affected feature is not enabled by default. The attacker can change password of existing user if focusIdentification authorization module was enabled (it is disabled by default).

Mitigation

Disabling focusIdentification for password reset functionality, or:
Upgrading to latest maintenance release 4.7.1

Was this page helpful?

YES NO

Thanks for your feedback