No notification triggered on sensitive actions like adding SSH key in ikus060/rdiffweb

Valid

Reported on

Dec 20th 2022


Description

Adding SSH key is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , SSH key is also an important security feature to be notified about

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys
2) Do all necessary steps to successfully add a SSH key
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint 





# Impact

In case an attacker is able to add SSH key in any means , user will remain unaware of this change which raises a security concern
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 20 days ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 19 days ago
Patrik Dufresne validated this vulnerability 19 days ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.5.5 with commit bc4bed 17 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 17 days ago
to join this conversation