Reset password links are not invalidated after a user changes its password.
This issue could allow an attacker to persist access to a compromised user account.
CVSSv3 score: 3.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
- A user got its account compromised, the attacker change the mail address and ask for a reset link
- The user recovers the account and changes the password. The user now thinks its account is safe.
- The attacker can use the reset link previously generated to change the password again and compromise the account again.
Thank you to Swapnil Jain for finding and reporting this issue.