Infrastructure/ghost: Independent technology for modern publishing, memberships, subscriptions and newsletters.

mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00

Independent technology for modern publishing, memberships, subscriptions and newsletters.

blogging cms creator-economy ghost hacktoberfest headless-cms jamstack javascript journalism nodejs publishing web-application

Find a file

Fabien O'Carroll 4e947a88ce Fixed security hole in email address change flow refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr The email address change flow was built on top of the unauthenticated signin/signup flow. This meant that ownership of the email being changed wasn't verified and allowed a malicious actore to change the email address of arbitrary accounts to an email address which they controlled. We remove the ability to change email addresses from the signin/signup flow and instead create a dedicated, authenticated flow for changing email address.	2021-09-22 16:49:17 +02:00
ghost	Fixed security hole in email address change flow	2021-09-22 16:49:17 +02:00

Fabien O'Carroll 4e947a88ce Fixed security hole in email address change flow

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

The email address change flow was built on top of the unauthenticated
signin/signup flow. This meant that ownership of the email being changed
wasn't verified and allowed a malicious actore to change the email
address of arbitrary accounts to an email address which they controlled.

We remove the ability to change email addresses from the signin/signup
flow and instead create a dedicated, authenticated flow for changing
email address.

2021-09-22 16:49:17 +02:00

ghost

Fixed security hole in email address change flow

2021-09-22 16:49:17 +02:00