Password reset link not expired in answerdev/answer
Valid
Reported on
Mar 21st 2023
Hi team, I hope you are well today.
This is the step: Reset your password with this link https://meta.answer.dev/users/account-recovery
I have recognized that links can use many times.
Beside https://meta.answer.dev/users/account-activation?code=...
active account have the same vulnerability.
Ok thank.
here is the same report: https://hackerone.com/reports/685007
Impact
account takeover
We are processing your report and will contact the
answerdev/answer
team within 24 hours.
2 months ago
We have contacted a member of the
answerdev/answer
team and are waiting to hear back
2 months ago
https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af
oiiwroo
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation
