Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled

Last modified 09 Feb 2024 14:12 +01:00

Date: 5 June 2023

Severity: High (CVSS 8.0)

Affected versions: 4.7

Fixed in versions: 4.7.1


Attacker is able to change user password using password reset form, if focusIdentification is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps.

Severity and Impact

This is high-severity issue.

The affected feature is not enabled by default. The attacker can change password of existing user if focusIdentification authorization module was enabled (it is disabled by default).


  • Disabling focusIdentification for password reset functionality, or:

  • Upgrading to latest maintenance release 4.7.1

Was this page helpful?
Thanks for your feedback