Missing Authentication for Critical Function in kareadita/kavita


Reported on

Nov 15th 2022


Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email.

when user changes the email address then the website sends verification mail to the new mail id without asking current password or sending confirm code to the old email id.

Proof of Concept

1. Go to https://demo.kavitareader.com/preferences#account
2. enter new email id (any fake email)
3. a new message pop-up confirms that a verification sent to the new email
4. notice that there is no password confirmation during this sensitive action 

Mitigation: There must be a password confirmation on sensitive actions like email change


If someone leaves his account open on a public computer(say office or cafe), then the attacker can change the email associated with this account easily


We are processing your report and will contact the kareadita/kavita team within 24 hours. 5 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 5 months ago
Joe Milazzo validated this vulnerability 3 months ago
Eslam Kamal has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Eslam Kamal
3 months ago


@Admin Can we assign a new CVE?

Ben Harvie
2 months ago


Hi Eslam, CVE assignment is in the hands of the maintainer.

Joe Milazzo
2 months ago


This has been fixed and I will update the status when we a release window has been set.

Joe Milazzo marked this as fixed in 0.7.0 with commit 6648b7 a month ago
Joe Milazzo has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Milazzo published this vulnerability a month ago
to join this conversation