Improper Access Control in cortezaproject/corteza-server

Valid

Reported on

Oct 6th 2021

Hi, Old unused Password reset tokens are not getting expired after using the new one.

Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email (suppose that is user@gmail.com). Then I used the forget password option. I will get one password reset link. I noted the reset link and then deleted the email from user@gmail.com. In the meantime victim understood that someone got access to his account. Then he reset the password of his account (corteza) by issuing new reset link and he also changed the password of his account (corteza) so that any one cant hack again his account.

Now its time for my exploitation.

I will use my reset link which is live even after your issuance of new reset link and I will hack into victim's account.

A Suggestion to fix this issue :

Use a certain living span for a reset link.

All unused reset links should expire automatically after the issuance of a new reset link.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago
takester
2 years ago

Researcher

any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago
Tomaž Jerman
2 years ago

Maintainer

Hi, thank you for reporting; I'll get one of our guys to confirm this and propose a fix.

Denis Arh
a year ago

Maintainer

Fixed and waiting for internal review & qc.

Denis Arh validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh marked this as fixed in 2021.9.8 with commit d2d024 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation