Security vulnerabilities

  • Status Closed
  • Assigned To
    nferrari
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 08.03.2024
Last edited by nferrari - 27.03.2024

FS#37 - unverified password change in [admin.alwaysdata.com]

unverified password change in [admin.alwaysdata.com]

Hello team!

I have found an interesting flaw where an attacker can change the account password without knowing the old password

When the user requests a password reset link, it accesses the activity log inside the account and this bug can be exploited by an attacker

Steps to reproduce the bug :

1-Create a new account on [admin.alwaysdata.com]
2-log in to your account
3-request the password reset link from another browser
4-you will notice that the password reset link you requested has arrived in the activity log

Impact :
If the attacker hijacks the session or gains access to the user account, he can request a password reset link and the link will reach him in the Account Activity Log, from which he can reset the account password without knowing the old password

Closed by  nferrari
27.03.2024 14:57
Reason for closing:  Fixed

Any update?

Admin

Hello,

We will take a look and then get back to you.

Any update?

Hi Team,

Is there any update to the status of the report?

Admin

Hi,

Our security team is processing your request. We will come back to you pretty soon.

Thank you!

Hi,

Any update?

Admin

Hi,

Thanks to your report, our team decided not to include the email content in activity logs anymore.

Can you please contact us through the Support section in our administration panel?

This report is now closed.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing