Ghost

OpenSourceArk/Ghost

Fork 0

Commit Graph

Author	SHA1	Message	Date
Fabien O'Carroll	4e947a88ce	Fixed security hole in email address change flow refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr The email address change flow was built on top of the unauthenticated signin/signup flow. This meant that ownership of the email being changed wasn't verified and allowed a malicious actore to change the email address of arbitrary accounts to an email address which they controlled. We remove the ability to change email addresses from the signin/signup flow and instead create a dedicated, authenticated flow for changing email address.	2021-09-22 16:49:17 +02:00
Fabien O'Carroll	d51fdc3f4a	Moved code out of index.js in directories refs https://github.com/TryGhost/Team/issues/879	2021-07-14 14:17:38 +01:00

Author

SHA1

Message

Date

Fabien O'Carroll

4e947a88ce

Fixed security hole in email address change flow

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

The email address change flow was built on top of the unauthenticated
signin/signup flow. This meant that ownership of the email being changed
wasn't verified and allowed a malicious actore to change the email
address of arbitrary accounts to an email address which they controlled.

We remove the ability to change email addresses from the signin/signup
flow and instead create a dedicated, authenticated flow for changing
email address.

2021-09-22 16:49:17 +02:00

Fabien O'Carroll

d51fdc3f4a

Moved code out of index.js in directories

refs https://github.com/TryGhost/Team/issues/879

2021-07-14 14:17:38 +01:00

2 Commits