•  
      request #12219 Reset passord links are not invalidated on password change
    Infos
    #12219
    Thomas Gerbet (tgerbet)
    2018-09-21 21:07
    2018-09-03 09:47
    12890
    Details
    Reset passord links are not invalidated on password change

    Reset password links are not invalidated after a user changes its password.

    Impact

    This issue could allow an attacker to persist access to a compromised user account.
    CVSSv3 score: 3.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)

    Exploitation

    1. A user got its account compromised, the attacker change the mail address and ask for a reset link
    2. The user recovers the account and changes the password. The user now thinks its account is safe.
    3. The attacker can use the reset link previously generated to change the password again and compromise the account again.

    Credits

    Thank you to Swapnil Jain for finding and reporting this issue.

    References

    CVE-2018-17298

    CWE 640

    Authentication & LDAP
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-09-04
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-09-21 21:07
    Adding CVE ID.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Thomas Gerbet (tgerbet)2018-09-03 11:38
    A patch is under review: gerrit #12537.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from Under implementation to Under review