A signed-in user could bypass password prompt before editing platform user details


24 Dec 2019


1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.


images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0


A signed-in platform user could modify API request raw data to alter user profile details.

When editing user details, the platform prompts for a user password only at GUI level.
To avoid the password prompt and to apply changes to user profile details, it is possible to bypass the GUI layer by directly modifying the API request raw data.

A signed-in user with at least the modify users permission, without admin access rights, and with a valid user token could modify the details of the user profile the token refers to by editing the API request raw data, and then by sending the updated request to the platform.
When editing user profile information in this way, the platform does not prompt users to enter their password before executing the action.

Up to release 2.6.0 included, the platform enforces user password check for high-risk operations at GUI level. It does not enforce it also at API level.
We plan to enforce password check also at API level from release 2.7.0.


Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.



< Back to all security issues and mitigation actions

In release notes 2.7.0