Missing Authentication for Critical Function in kareadita/kavita
Nov 15th 2022
Generally, when users try to change the password, they are asked to verify the request by entering the old password. For the same reason, verification should be there on changing email.
when user changes the email address then the website sends verification mail to the new mail id without asking current password or sending confirm code to the old email id.
Proof of Concept
1. Go to https://demo.kavitareader.com/preferences#account 2. enter new email id (any fake email) 3. a new message pop-up confirms that a verification sent to the new email 4. notice that there is no password confirmation during this sensitive action
Mitigation: There must be a password confirmation on sensitive actions like email change
If someone leaves his account open on a public computer(say office or cafe), then the attacker can change the email associated with this account easily
@Admin Can we assign a new CVE?
Hi Eslam, CVE assignment is in the hands of the maintainer.
This has been fixed and I will update the status when we a release window has been set.