Description

A user who has to change their password after logging in can export the website’s user data.

Proof of Concept

Step 1: login to website by admin account and change password of a user. Check the box “Force password change upon next login” and save.

Step 2: login to website by the account you just change the password. You will see a change password page.

Step 3: go to the link: domain/admin/user/export?format=xlsx. You will see this account can export the data of users without admin privilege.

You may try it out on ncsctest.humhub.com, which is my demo site. After logging in, a user tester / 123123 will be forced to change their password. You can view the export file humhub user.xlsx at https://ncsctest.humhub.com/admin/user/export?format=xlsx.