You’re offline. This is a read only version of the page.
Hi
I have inherited an ADX Portal deployed by someone else and have discovered a potential vulnerability during a password change.
ADX Portal 7.0.0021 with CRM2016 (On premise)
Once you are logged in you seems to be able go to "Password Change" page and set a new password.
On that page there is a disabled field with your username. You can quite easily set a value on that field to any other user using IE Developer Tools, Firebug etc.
This will allow you to change a password for any user as long as you know their username. You also need to have your own account so you can get to the ChangePassword page but still looks like vulnerability to me.
So I wonder if it has been addressed in any of the newer versions or if we should implement something ourselves. There is also possibility that is should not be possible and there is something wrong with our configuration so would be good to get a confirmation if that is the case.
Many thanks,
Pawel
*This post is locked for comments
As well you can look to "a little bit more supported" on-prem version of the Portals whish is free and open-source here: github.com/.../xRM-Portals-Community-Edition
Hi,
I tested what you suggested and it does not work :)
The username in the change password screen is only for display and is not sent back as apart of the password update, it is most likely tied to the CRM Contact ID bound to the user session.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,240
Super User 2024 Season 2
#2
Martin Dráb
230,149
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (