Impact
What kind of vulnerability is it? Who is impacted?
Any user with an account on an instance of effectindex/tripreporter, eg https://subjective.report.
The vulnerability allows any user with a password matching the password requirements to login as any user. This allows access to accounts / data loss of the user.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in bd80ba8.
No action necessary for users on https://subjective.report, anyone running their own instance should update to this commit or newer, as soon as possible.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Apply this patch:
diff --git a/api/account.go b/api/account.go
index be89603..b9c08a0 100644
--- a/api/account.go
+++ b/api/account.go
@@ -84,7 +84,7 @@ func AccountPostLogin(w http.ResponseWriter, r *http.Request) {
return
}
- account, err = a1.ValidatePassword(account.Password, "Password")
+ account, err = a1.VerifyPassword(account.Password)
if err != nil {
ctx.HandleStatus(w, r, "Invalid username or password!", http.StatusForbidden)
return
References
Are there any links users can visit to find out more?
Not at the moment.
Impact
What kind of vulnerability is it? Who is impacted?
Any user with an account on an instance of
effectindex/tripreporter, eg https://subjective.report.The vulnerability allows any user with a password matching the password requirements to login as any user. This allows access to accounts / data loss of the user.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in bd80ba8.
No action necessary for users on https://subjective.report, anyone running their own instance should update to this commit or newer, as soon as possible.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Apply this patch:
References
Are there any links users can visit to find out more?
Not at the moment.