When editing the user profile in the Edit Profile tab in the upper right corner of the main panel, when changing the authentication option to disconnected, email or google authenticator and entering a password other than the real one in the “enter the current password” field and saving , the system authorizes. Wouldn’t that be a security breach?
I’ve tried this on 2.3.5 and for me unless I correcty fill in my existing password in the first box, I simply get “Access Denied” and my change is not saved.
Once I enter the correct password it allows me to make changes as expected.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.