Weak Password Change Mechanism in kareadita/kavita


Reported on

Aug 9th 2022


The user password change page, doesn't require knowledge of the existing password.

Proof of Concept

  1. 1 - Log in as a normal user
  2. 2 - Go to the User Dashboard page and click Password.
  3. 3 - Set a any new password.
  4. 4 - The password is changed successfully.


An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 2 years ago
Joe Milazzo modified the Severity from High to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joe Milazzo validated this vulnerability 2 years ago

I would mark this as a low priority, since this is a self-hosted service. However, I will still introduce authentication against the existing password for this flow.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. 2 years ago
Joe Milazzo marked this as fixed in with commit ae891c 2 years ago
Joe Milazzo has been awarded the fix bounty
to join this conversation