Password Recovery Token Reuse Vulnerability
A vulnerability in lunary-ai/lunary version 1.2.4 allows attackers to reuse password recovery tokens, potentially enabling unauthorized password changes. This issue arises because the token is not invalidated after a password change operation. There is no specified fixed version in the report.
Available publicly on May 23 2024
Remediation Steps
- Update the application's authentication logic to ensure that password recovery tokens are invalidated immediately after use.
- Audit the authentication and session management mechanisms to identify and rectify any similar vulnerabilities.
- Consider implementing additional security measures such as token expiration and rate limiting for password recovery attempts.
- Notify users of the vulnerability and advise them to be cautious of suspicious activities in their accounts.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.