Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled
Date: 5 June 2023
Severity: High (CVSS 8.0)
Affected versions: 4.7
Fixed in versions: 4.7.1
Attacker is able to change user password using password reset form, if
focusIdentification is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps.
Severity and Impact
This is high-severity issue.
The affected feature is not enabled by default.
The attacker can change password of existing user if
focusIdentification authorization module was enabled (it is disabled by default).
focusIdentificationfor password reset functionality, or:
Upgrading to latest maintenance release 4.7.1