PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030
This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...