- Status Closed
-
Assigned To
nferrari - Private
Opened by monty099 - 08.03.2024
Last edited by nferrari - 27.03.2024
FS#37 - unverified password change in [admin.alwaysdata.com]
unverified password change in [admin.alwaysdata.com]
Hello team!
I have found an interesting flaw where an attacker can change the account password without knowing the old password
When the user requests a password reset link, it accesses the activity log inside the account and this bug can be exploited by an attacker
Steps to reproduce the bug :
1-Create a new account on [admin.alwaysdata.com]
2-log in to your account
3-request the password reset link from another browser
4-you will notice that the password reset link you requested has arrived in the activity log
Impact :
If the attacker hijacks the session or gains access to the user account, he can request a password reset link and the link will reach him in the Account Activity Log, from which he can reset the account password without knowing the old password
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Any update?
Hello,
We will take a look and then get back to you.
Any update?
Hi Team,
Is there any update to the status of the report?
Hi,
Our security team is processing your request. We will come back to you pretty soon.
Thank you!
Hi,
Any update?
Hi,
Thanks to your report, our team decided not to include the email content in activity logs anymore.
Can you please contact us through the Support section in our administration panel?
This report is now closed.