Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Password reset form sends password in plaintext in the URL

SA-31747

Summary



When a user resets their password, the new password is send in plaintext in the URL of the GET request.


Error Messages



Not Applicable


Steps to Reproduce



Reset your password using the link in the profile of the user portal.


Root Cause



A defect in Pegasystems’ code or rules. An old version of the password reset dialog is used which uses GET instead of POST.

Resolution



Perform the following local-change:

1) Save the rule @baseclass.Desktop-Operator-Profile-Full into the application ruleset.
2) Copy the HTML Source from the rule @baseclass.Operator-Profile-Full into the HTML Source field of the Desktop-Operator-Profile-Full rule, save into the ruleset.
3) Save or check in Desktop-Operator-Profile-Full.

This will use a new version of the dialog that uses POST.  Logged in user must log out before they see the changes.
 

 

Tags:

Pega Platform Pega Platform 7.1.5

Published January 20, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us