Support Article

Password reset form sends password in plaintext in the URL

SA-31747

Summary



When a user resets their password, the new password is send in plaintext in the URL of the GET request.


Error Messages



Not Applicable


Steps to Reproduce



Reset your password using the link in the profile of the user portal.


Root Cause



A defect in Pegasystems’ code or rules. An old version of the password reset dialog is used which uses GET instead of POST.

Resolution



Perform the following local-change:

1) Save the rule @baseclass.Desktop-Operator-Profile-Full into the application ruleset.
2) Copy the HTML Source from the rule @baseclass.Operator-Profile-Full into the HTML Source field of the Desktop-Operator-Profile-Full rule, save into the ruleset.
3) Save or check in Desktop-Operator-Profile-Full.


This will use a new version of the dialog that uses POST.  Logged in user must log out before they see the changes.
 

 

Published December 21, 2016 - Updated January 20, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.