From 7b21b38ac4532d06565dfcefad50540ebd2b50f4 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Fri, 12 May 2023 12:24:12 +1200
Subject: [PATCH] [CVE-2023-32302] Require password field to be non-empty

---
 src/Security/Member.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Security/Member.php b/src/Security/Member.php
index 869b82efd..c0b3c7ac6 100644
--- a/src/Security/Member.php
+++ b/src/Security/Member.php
@@ -731,7 +731,7 @@ class Member extends DataObject
             $password->setRequireExistingPassword(true);
         }
 
-        $password->setCanBeEmpty(true);
+        $password->setCanBeEmpty(false);
         $this->extend('updateMemberPasswordField', $password);
 
         return $password;