Weak Password Change Mechanism in athou/commafeed
Jul 5th 2022
When setting a new user password,
commafeeddoes not require knowledge of the original password or using another form of authentication.
Proof of Concept
1. Log in as a regular user 2. Go to the profile settings link 3. Select Set Password 4. Enter any 6-character password string (this form is not constrained by the common passwords blocked in initial user creation).
If an attacker can gain access to an active user session (i.e. accessing terminal when user stands up), it would not be necessary to know the victim's current password in order to fully compromise the account.