Missing Authentication for Critical Function in kareadita/kavita

Valid

Reported on

Nov 15th 2022

Description

Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email.

when user changes the email address then the website sends verification mail to the new mail id without asking current password or sending confirm code to the old email id.

Proof of Concept

1. Go to https://demo.kavitareader.com/preferences#account
2. enter new email id (any fake email)
3. a new message pop-up confirms that a verification sent to the new email
4. notice that there is no password confirmation during this sensitive action

Mitigation: There must be a password confirmation on sensitive actions like email change

Impact

If someone leaves his account open on a public computer(say office or cafe), then the attacker can change the email associated with this account easily

References

We are processing your report and will contact the kareadita/kavita team within 24 hours. 5 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 5 months ago
Joe Milazzo validated this vulnerability 3 months ago
Eslam Kamal has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Eslam Kamal
3 months ago

Researcher

@Admin Can we assign a new CVE?

Ben Harvie
2 months ago

Admin

Hi Eslam, CVE assignment is in the hands of the maintainer.

Joe Milazzo
2 months ago

Maintainer

This has been fixed and I will update the status when we a release window has been set.

Joe Milazzo marked this as fixed in 0.7.0 with commit 6648b7 a month ago
Joe Milazzo has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Milazzo published this vulnerability a month ago
to join this conversation