- Affected version
- 2.1.5a
Steps to reproduce:
1) Create a account having email address "firstemail@example.com".
2) Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address.
3) Login using the same password back and update your email address to "secondemail@example.com" and verify the same. Remove "firstemail@example.com".
4) Now logout and use the password reset link which was mailed to "firstemail@example.com" in step 2.
5) Password will be changed and enters to "secondemail@example.com"`s account.
All previous password reset links should automatically expire once a user changes his email address.
1) Create a account having email address "firstemail@example.com".
2) Now Logout and ask for password reset link. Don't use the password reset link sent to your mail address.
3) Login using the same password back and update your email address to "secondemail@example.com" and verify the same. Remove "firstemail@example.com".
4) Now logout and use the password reset link which was mailed to "firstemail@example.com" in step 2.
5) Password will be changed and enters to "secondemail@example.com"`s account.
All previous password reset links should automatically expire once a user changes his email address.
