request #10230 Email change confirmation code can be obtained without accessing the current email address

Artifact

Infos

Artifact ID#10230

Submitted byThomas Gerbet (tgerbet)

Last Modified On2018-08-16 10:58

Submitted on2017-05-17 11:27

Rank10495

Details

Summary *

Email change confirmation code can be obtained without accessing the current email address

Original Submission

The current design of the change email address procedure allow to obtain the confirmation code without needing to access the current email address.

Impact

An attacker that can access another user account can use that to achieve a complete take over of the account and lock out the legitimate user.
CVSSv3 score: 4.9 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)

References

CWE 330

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2018-08-16

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Show items referenced by request #10230

Referenced by request #10230

Artifact Tracker v5

request #11217 Account takeover due to a missing CSRF protection on email address change functionnality

Follow-ups

Thomas Gerbet (tgerbet)

2018-08-16 10:58

This has been handled by work done in request #11217.

Disclosing the issue since it is fixed for a while now.

Status changed from Verified to Closed
Close date set to 2018-08-16

Public

Impact

References

Artifact links

Reverse artifact links

Referenced by request #10230

Artifact Tracker v5

Follow-ups