Expiration of Password Forget Token after changing E-Mail-Address

Moderate

Abraxas-Bot published GHSA-gff6-4273-wj4f

Dec 19, 2022

Package

VOTING IAM (Abraxas Apps Platform)

Affected versions

< v1.15.0

Patched versions

v1.15.0

Description

Short Description

The attacker can re-use a password reset link from an alredy removed e-mail address.

Reporting Date

August 2022

Details

The previous generated password reset link was still valid after changing the email address of the account.

Impact

Medium

References

Bug Bounty ID: 65cb8092 (Public)
Internal ID: SEC-789

❤ Thanks to

Hassan Jawaid for reporting the password reset link vulnerability.

Severity

Moderate

4.3

/ 10

CVSS base metrics

Attack vector

Adjacent

Attack complexity

High

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L