Listen to this Post
The vulnerability exists in the `/api/v1/account/forgot-password` endpoint. When an unauthenticated user submits a POST request with a target email address, the API responds with a 201 status code and a JSON object containing the full user record. Crucially, this response includes a valid, unexpired `tempToken` and its `tokenExpiry` timestamp. This token is designed for use with the `/api/v1/account/reset-password` endpoint. An attacker can intercept this token directly from the HTTP response without any need for email interaction or verification. The attacker then submits a separate POST request to the reset-password endpoint, providing the stolen token and a new password of their choice. The system, failing to validate if the token was delivered via the intended secure channel (email), accepts the request and changes the victim account’s password, resulting in a complete account takeover.
Platform: FlowiseAI
Version: Pre-1.4.3
Vulnerability: Authentication Bypass
Severity: Critical
date: 2024-08-19
Prediction: Patch: 2024-08-26
What Undercode Say:
curl -X POST $TARGET/api/v1/account/forgot-password -H "Content-Type: application/json" -d '{"user":{"email":"[email protected]"}}'
curl -X POST $TARGET/api/v1/account/reset-password -H "Content-Type: application/json" -d '{"user":{"email":"[email protected]","tempToken":"STOLEN_TOKEN","password":"attacker-password"}}'
How Exploit:
Unprivileged Account Takeover
Protection from this CVE:
Apply Patch 1.4.3
Impact:
Full Account Compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

