mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-11-24 06:35:49 +03:00
4e947a88ce
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr The email address change flow was built on top of the unauthenticated signin/signup flow. This meant that ownership of the email being changed wasn't verified and allowed a malicious actore to change the email address of arbitrary accounts to an email address which they controlled. We remove the ability to change email addresses from the signin/signup flow and instead create a dedicated, authenticated flow for changing email address. |
||
---|---|---|
.. | ||
domain-events | ||
magic-link | ||
member-analytics-service | ||
member-events | ||
members-analytics-ingress | ||
members-api | ||
members-csv | ||
members-importer | ||
members-ssr | ||
members-stripe-service |