Improper Access Control in cortezaproject/corteza-server


Reported on

Oct 6th 2021

Hi, Old unused Password reset tokens are not getting expired after using the new one.

Suppose I am an attacker and I got access to the recovery email option of victim account. I logged in to victim recovery email (suppose that is Then I used the forget password option. I will get one password reset link. I noted the reset link and then deleted the email from In the meantime victim understood that someone got access to his account. Then he reset the password of his account (corteza) by issuing new reset link and he also changed the password of his account (corteza) so that any one cant hack again his account.

Now its time for my exploitation.

I will use my reset link which is live even after your issuance of new reset link and I will hack into victim's account.

A Suggestion to fix this issue :

Use a certain living span for a reset link.

All unused reset links should expire automatically after the issuance of a new reset link.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago
2 years ago


any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. 2 years ago
Tomaž Jerman
2 years ago


Hi, thank you for reporting; I'll get one of our guys to confirm this and propose a fix.

Denis Arh
a year ago


Fixed and waiting for internal review & qc.

Denis Arh validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh marked this as fixed in 2021.9.8 with commit d2d024 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation