Weak Password Change Mechanism in bookwyrm-social/bookwyrm
Jul 9th 2022
When setting a new user password it does not require knowledge of the original password (Current password not required)
Proof of Concept
1. Log in as a regular user
2. Navigate: https://book.dansmonorage.blue/preferences/password
3. Enter any password string.
If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.