0
mkinc created
- ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
- UI Type: Angular
- Database System: Unknown
- Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
- Steps to reproduce the issue:
- Log in as admin
- Create a new user 'test1'
- Logout
- Login as test1
- Set up 2FA authenticator app and enable 2FA
- Logout
- Login as test1 and confirm 2FA works as expected (without checking remember browser)
- Logout
- Login as admin
- Edit test1 user to enable 'Should change password on next login'
- Logout
- In login page, enter credentials for test1 user
- Expected behaviour: Before asking for a new password, 2FA should be completed.
- Actual behaviour:
- I am asked for current password, new password, new password (repeat) and after submitting that I can login without any 2FA.
- In order to confirm 2FA is still forced, logout, login again and you will be correctly be asked for 2FA
- This is a critical security bug where 2FA can be bypassed even if the 2FA is forced.
Please let us know when this will be fixed + refund the question. Cheers.
