django-rest-passwordreset icon indicating copy to clipboard operation
django-rest-passwordreset copied to clipboard

Published 20 hours ago verified publisher icon anexia-it

[BUG] Can reset some other user's password by accidently mistyped OTP

Open hassan404 opened this issue 4 months ago • 0 comments

Describe the bug A user can reset the password of some other user if they accidently/intentionally type their OTP password

How to reproduce

  • Request a token A for User1 using ResetPasswordRequestToken APIView
  • If User2 provides token A to ResetPasswordConfirm APIView (accidently/intentionally), they will be able to reset password for User1

Expected behavior During OTP Validation, a user should not be able to accidently change email of another user, no matter how low the probability of doing so

hassan404 avatar Oct 04 '24 09:10 hassan404