You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: POST /api/contactpersonen/change-password is annotated @NoAdminRequired. The only access check is that the caller is logged in — there is no verification that username in the body matches the currently authenticated user, and no current-password confirmation. Any authenticated user can supply an arbitrary username in the JSON body and overwrite that account's password.
Scenario:
POST /api/contactpersonen/change-password
{"username":"admin","newPassword":"Attacker1!"}
Sent as any non-admin user → admin password is reset → full admin takeover.
Suggested fix:
Drop @NoAdminRequiredor add a service-layer check: username === currentUser->getUID() || isAdmin().
For self-service flows require current-password verification before accepting a new password.
Severity: CRITICAL
Location:
lib/Controller/ContactpersonenController.phplines 505–581Description:
POST /api/contactpersonen/change-passwordis annotated@NoAdminRequired. The only access check is that the caller is logged in — there is no verification thatusernamein the body matches the currently authenticated user, and no current-password confirmation. Any authenticated user can supply an arbitraryusernamein the JSON body and overwrite that account's password.Scenario:
Sent as any non-admin user → admin password is reset → full admin takeover.
Suggested fix:
@NoAdminRequiredor add a service-layer check:username === currentUser->getUID() || isAdmin().Source: deep team-reviewer pass 2026-05-27