When registered users are permitted to change their email address to a new one without further confirming that the user is in fact at that email address.
I've followed this issue here Use email verification when changing user email addresses 🐛 Use email verification when changing user email addresses Needs work and applied this patch #312 🐛 Use email verification when changing user email addresses Needs work and it worked for drupal 8.9.x and 9.1.x.
It would be a great feature if this added to the Varbase distribution.
Closed: outdated
9.0
Miscellaneous
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.