Password Reset Token Reuse Vulnerability in Vikunja
Vikunja's password reset mechanism allows token reuse due to improper token invalidation and cleanup, enabling persistent account takeovers.
CVE References
Affected
The vulnerability arises from two issues: the failure to invalidate password reset tokens upon use and a malfunctioning token cleanup process. When a user resets their password, the system incorrectly removes an email confirmation token instead of the password reset token, leaving it active. Additionally, the cron job intended to clean up old tokens is ineffective, allowing tokens to persist indefinitely.
The proof-of-concept highlights the severity of token reuse in authentication systems. It demonstrates that a single intercepted token can enable long-term unauthorized access, bypassing standard security measures. This emphasizes the importance of proper token lifecycle management in securing user accounts.
Monitor for repeated password reset attempts using the same token and review token cleanup logs to ensure tokens are being invalidated correctly. Implement logging for token usage and establish alerts for suspicious activity involving token reuse.
Patch the ResetPassword function to invalidate password reset tokens upon use and verify that the cron job properly removes expired tokens. Consider implementing additional checks, such as token expiration dates and single-use policies, to enhance security.
The likelihood of exploitation is high due to the critical impact and ease of exploit once a token is obtained. This vulnerability poses significant risks for user accounts and data integrity, making it a prime target for attackers seeking unauthorized access.
Sources