MantisBT: master-2.27 765fbd2a

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.27 2025-10-19 09:37 master-2.27 371c830f
Affected Issues  0036005: CVE-2025-55155: Lack of verification when changing a user's email address
Changeset

Email validation hash not usable to reset password

Since we use the same token to store the confirmation hash for all
validation emails, we need to make sure that if it was generated for an
email confirmation it cannot be used for a password reset, and vice
versa.

Fixes 0036005
mod - core/user_api.php Diff File
mod - verify.php Diff File