Skip to content

User account takeover in the signup/reset password process

High
dregad published GHSA-93x3-m7pw-ppqm May 12, 2024

Package

composer mantisbt (Composer)

Affected versions

<=2.26.1

Patched versions

2.26.2

Description

Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.

The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.

A brute-force attack calling account_update.php with increasing user IDs is possible.

Impact

A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.

Patches

92d11a0

Workarounds

Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).

References

https://mantisbt.org/bugs/view.php?id=34433

Credits

Alexander Christian, from Vantage Point Security Indonesia

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2024-34077

Credits