You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user resets their password via email reset link method while 2 Factor Authentication is enabled, it is possible to set a new account password without entering a valid 2FA token. Existing user sessions are terminated, so that an adversary with access to a users mail account can cause Denial of Service.
Current Behavior
1.) receive password reset email
2.) enter new password + confirmation
3.) save new password
Expected Behavior
1.) receive password reset email
2.) enter new password + confirmation
3.) enter valid 2FA token
4.) save new password
The text was updated successfully, but these errors were encountered:
When a user resets their password via email reset link method while 2 Factor Authentication is enabled, it is possible to set a new account password without entering a valid 2FA token. Existing user sessions are terminated, so that an adversary with access to a users mail account can cause Denial of Service.
Current Behavior
1.) receive password reset email
2.) enter new password + confirmation
3.) save new password
Expected Behavior
1.) receive password reset email
2.) enter new password + confirmation
3.) enter valid 2FA token
4.) save new password
The text was updated successfully, but these errors were encountered: