The user is not required to enter his current password when changing email, password or name. This could enable attackers to hijack user accounts.
Example situations:
-
User forgets to log out of a public computer and goes away. An attacker can change the email, password and name and take over potential purchased material on the website.
-
On websites with XSS vulnerability, the attacker could change the password, email or name of every user that visits the vulnerable site.
The user is not required to enter his current password when changing email, password or name. This could enable attackers to hijack user accounts.
Example situations:
User forgets to log out of a public computer and goes away. An attacker can change the email, password and name and take over potential purchased material on the website.
On websites with XSS vulnerability, the attacker could change the password, email or name of every user that visits the vulnerable site.