No notification triggered on sensitive actions like adding SSH key in ikus060/rdiffweb

Valid

Reported on

Dec 20th 2022

Description

Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys
2) Do all necessary steps to successfully add a SSH key
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint 





# Impact

In case an attacker is able to add SSH key in any means , user will remain unaware of this change which raises a security concern

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 20 days ago

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 19 days ago

Patrik Dufresne validated this vulnerability 19 days ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne marked this as fixed in 2.5.5 with commit bc4bed 17 days ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability 17 days ago

to join this conversation