Project

General

Profile

Actions

Bug #8879

open

Integrations can cause cleartext password to be lost when sending activation email

Added by krileon 9 months ago. Updated about 2 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Start date:
04 March 2022
Due date:
% Done:

0%

Estimated time:

Description

A user store done during user user trigger can result in cleartext password being encrypted. This results in password being encrypted in the email as well. This is a problem when using randomly generated passwords as the user won't be able to receive their password.

So far this confirmed happens with CBSubs in the following scenario.

Randomly Generated Passwords: Yes
Admin Approval: No
Email Confirmation: No

In this case password would be sent in the Welcome email, but due to a user store in CBSubs becomes encrypted. Other integrations could easily cause this as well. It would be safer to pass the cleartext password to activateUser function directly and then onto email handling OR as a private variable like _password.

Actions #1

Updated by krileon 9 months ago

Also worth considering improving this feature so the random password is single use. To do this we'd need to toggle on resetPassword at time of registration. This way on first login they'd have to provide a new password.

Actions #2

Updated by beat 5 months ago

  • Target version changed from CB 2.7.3 to CB 2.7.4
Actions #3

Updated by krileon about 2 months ago

  • Target version changed from CB 2.7.4 to CB 2.7.5
Actions

Also available in: Atom PDF