Critical

lunary

Account Hijacking via Password Reset Token Leak

A vulnerability in Lunary version 1.2.2 allows a user with 'viewer' role to hijack other user accounts by exploiting a password reset token leak. This issue was identified in the Lunary application, specifically within the password reset functionality. The exact version in which this vulnerability was patched is not specified in the provided report.

Available publicly on Apr 06 2024

9.6

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Credit:

ranjit-git
Threat Overview

The vulnerability arises from the application's handling of password reset tokens, which are inadvertently exposed to users with 'viewer' roles under certain conditions. Specifically, when a 'viewer' role user requests the password reset token for another user, the application incorrectly includes the token in the response to the 'viewer' role user. This token can then be used to reset the password of the targeted user account, effectively allowing unauthorized account takeover.

Attack Scenario

An attacker, having 'viewer' role access, can exploit this vulnerability by first obtaining the email address of a target user (user-A) with higher privileges. The attacker then initiates a password reset request for user-A's account. Subsequently, the attacker crafts a specific request to the application's backend, which mistakenly returns the password reset token for user-A's account. With this token, the attacker can reset user-A's password and gain unauthorized access to their account.

Who is affected

This vulnerability affects all users of the Lunary application version 1.2.2, especially those with elevated privileges whose accounts could be targeted for unauthorized access. Users with 'viewer' role access can exploit this vulnerability to hijack other user accounts, thereby posing a significant security risk to the integrity and confidentiality of the application's data.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.