Authentication Bypass by Primary Weakness in kestasjk/webdiplomacy
Jul 23rd 2021
According to previous explanation about weak cryptographic tokens, you also send the same weak token to users that forgot their passwords.
here an attacker can also do Bruteforce attacks to take control of users accounts.
🕵️♂️ Proof of Concept
attacker without any captcha can easily can perform this attack.
This vulnerability is capable of take control of all user's accounts that already attackers knows their emails.