Account Hijacking via Password Reset Token Leak
A vulnerability in Lunary version 1.2.2 allows a user with 'viewer' role to hijack other user accounts by exploiting a password reset token leak. This issue was identified in the Lunary application, specifically within the password reset functionality. The exact version in which this vulnerability was patched is not specified in the provided report.
Available publicly on Apr 06 2024
Remediation Steps
- Update the Lunary application to the latest version where this vulnerability has been patched.
- Review and restrict the exposure of sensitive information, such as password reset tokens, to unauthorized roles.
- Implement additional checks and validations in the application's backend to ensure that password reset tokens are only sent to the email address associated with the user account.
- Conduct a thorough security audit of the application to identify and remediate similar vulnerabilities.
- Educate users about the importance of reporting suspicious activities and the potential risks associated with sharing account information.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.