Views:

Applies to Product -Power Pages

What’s happening?
Users are able to reset their password without validation to prevent the use of an old password as the new password.


Reason:
The system does not validate if the user is attempting to use an old password when performing a password reset through the "forgot your password?" action.


Resolution:

  • After performing a sign-in, in the profile page, the user can change the password using the “Change Password” action. In this section, it is requested by the end user to provide the current and new password, and the system does not allow the old password to be used as the new one.
  • When performing the “forgot your password?” action, the end user is only requested to provide a new password. The system does not check if the new password matches the existing one because the end user is not logged in, and this behavior is by design to avoid revealing the current password.