Weak Password Change Mechanism in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 9th 2022


Description

When setting a new user password it does not require knowledge of the original password (Current password not required)

Proof of Concept

1. Log in as a regular user 
2. Navigate: https://book.dansmonorage.blue/preferences/password
3. Enter any password string.

Impact

If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a month ago
Kiran PP modified the report
a month ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a month ago
Mouse Reeve validated this vulnerability a month ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 137311 a month ago
The fix bounty has been dropped
Kiran PP
a month ago

Researcher


If possible, Can we go for a CVE ?? @maintainer @admin

Kiran PP
a month ago

Researcher


Similar cases:

  1. https://www.rapid7.com/db/vulnerabilities/opencrx-cve-2020-7378/
  2. https://www.cvedetails.com/cve/CVE-2017-14005/
  3. https://nvd.nist.gov/vuln/detail/CVE-2018-7809
Jamie Slome
a month ago

Admin


It is up to the maintainer if they would like a CVE for this report 👍 Once we hear back from them, we can assign and publish a CVE.

Kiran PP
a month ago

Researcher


If that's the case, are you okay with the same, sir?

@maintainer

Kiran PP
25 days ago

Researcher


The vulnerability is yet not fixed. I cross-checked the demo version just a moment before. I hope it'll be fixed soon & If you're happy, assign a CVE for the case.

@maintainer

to join this conversation