Restrict any user from Login to their account

Hii Triager, I found that an attacker can change their email address to the victim's(existing user) email and restrict the victim from accessing their account. Vulnerable Domain: `www.██████████.mil` User-A: Attacker User-B: Victim Both User-A & User-B are registered user & have their separate accounts on `www.███.mil` ## Step To Reproduce 1 - Login to Attacker's account, User-A ([email protected]) 2 - Login to Victim's Account, User-B ([email protected]) 3 - In the Attacker's account, Navigate to `Update Profile` section. 4- Change the Attacker's email to `[email protected]`. You can successfully takeover the victim email. (not victim account) 5 - Now, Try to login as victim account(with victim email & password) , Application will Return `Invalid Credentials` ## References ████ ## Impact 1 -Restric any user from accessing their account. 2 - Improper Authentication on change email fuctionality. ## System Host(s) www.██████.mil ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1 - Login to Attacker's account, User-A ([email protected]) 2 - Login to Victim's Account, User-B ([email protected]) 3 - In the Attacker's account, Navigate to `Update Profile` section. 4- Change the Attacker's email to `[email protected]`. You can successfully takeover the victim email. (not victim account) 5 - Now, Try to login as victim account(with victim email & password) , Application will Return `Invalid Credentials` ## Suggested Mitigation/Remediation Actions 1 - Set proper authentication on the `Update Profile` functionality