Jonathan Druart
06d1259e56
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' passwords /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked Test plan: Trigger /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked => Without this patch, the password will be updated => With this patch applied you will get a crash "Wrong CSRF token" (no need to stylish) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> |
||
---|---|---|
.. | ||
data | ||
includes | ||
js | ||
modules | ||
xslt | ||
columns.def |