AVideo Platform Cross-Site Request Forgery Vulnerability Allowing Password Reset
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in AVideo Platform version 8.1. This vulnerability allows attackers to reset user passwords by exploiting the password recovery mechanism. By crafting malicious requests to the recoverPass endpoint and using the user's recovery token, attackers can change account credentials without authentication.
Impact
Exploitation of this vulnerability allows for unauthorized password resets, potentially leading to account takeovers.
Reproduction
To reproduce this vulnerability, send a request to the recoverPass endpoint with a user's recovery token. This can be done by first retrieving the recovery token from the user's account details, and then using it to craft a request that resets the user's password.
Remediation
Users are advised to update to the latest version of AVideo Platform, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.