Saving new passwords does not require the old one

Another security issue that I just found: When saving a new password under User Account Settings page, the old password is not required.

This is also bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.

Thanks for the reports! Could you file a ticket here (requires OSM-Account (same as here), Component “website”)?

Done and done.