Password Recovery Token Reuse Vulnerability
A vulnerability in lunary-ai/lunary version 1.2.4 allows attackers to reuse password recovery tokens, potentially enabling unauthorized password changes. This issue arises because the token is not invalidated after a password change operation. There is no specified fixed version in the report.
Available publicly on May 23 2024
Threat Overview
The core of this vulnerability lies in the application's handling of password recovery tokens. In a secure implementation, such tokens should be invalidated immediately after use to prevent any possibility of reuse. However, in lunary-ai/lunary version 1.2.4, once a user utilizes a recovery token to reset their password, the token remains valid. This oversight allows an attacker who has access to the token, possibly by compromising the victim's email account, to repeatedly change the user's password without authorization.
Attack Scenario
An attacker begins by obtaining a password recovery token, likely through accessing the victim's email. They then use this token to reset the victim's password, gaining unauthorized access to the account. Due to the token not being invalidated after this initial use, the attacker can continue to change the password multiple times, potentially locking out the legitimate user and maintaining control over the account.
Who is affected
Users of lunary-ai/lunary version 1.2.4 who utilize the password recovery feature are at risk. Specifically, if an attacker can access or intercept the password recovery token, they can exploit this vulnerability to gain unauthorized access and potentially maintain persistent control over the user's account.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.