Weak Password Change Mechanism in kareadita/kavita


Reported on

Aug 9th 2022


The user password change page, doesn't require knowledge of the existing password.

Proof of Concept

  1. 1 - Log in as a normal user
  2. 2 - Go to the User Dashboard page and click Password.
  3. 3 - Set a any new password.
  4. 4 - The password is changed successfully.


An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 2 months ago
Joseph Milazzo modified the Severity from High to Low 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Joseph Milazzo validated this vulnerability 2 months ago

I would mark this as a low priority, since this is a self-hosted service. However, I will still introduce authentication against the existing password for this flow.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. 2 months ago
Joseph Milazzo confirmed that a fix has been merged on ae891c a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation