Password reset form sends password in plaintext in the URL
SummaryWhen a user resets their password, the new password is send in plaintext in the URL of the GET request.
Error MessagesNot Applicable
Steps to ReproduceReset your password using the link in the profile of the user portal.
Root CauseA defect in Pegasystems’ code or rules. An old version of the password reset dialog is used which uses GET instead of POST.
ResolutionPerform the following local-change: 1) Save the rule @baseclass.Desktop-Operator-Profile-Full into the application ruleset.
2) Copy the HTML Source from the rule @baseclass.Operator-Profile-Full into the HTML Source field of the Desktop-Operator-Profile-Full rule, save into the ruleset.
3) Save or check in Desktop-Operator-Profile-Full.This will use a new version of the dialog that uses POST. Logged in user must log out before they see the changes.
Published December 21, 2016 - Updated January 20, 2017