No notification triggered on sensitive actions like adding SSH key in ikus060/rdiffweb

Valid

Reported on

Dec 20th 2022


Description

Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys
2) Do all necessary steps to successfully add a SSH key
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint 





# Impact

In case an attacker is able to add SSH key in any means , user will remain unaware of this change which raises a security concern
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 5 months ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 5 months ago
Patrik Dufresne validated this vulnerability 5 months ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.5.5 with commit bc4bed 5 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 5 months ago
to join this conversation