Lunary Password Reset Token Leak Vulnerability Allowing Account Hijacking

A vulnerability allowing account hijacking through a password reset token leak has been identified in Lunary version 1.2.2. This issue arises from an excessive attack surface that enables users with a 'viewer' role to escalate privileges and take over other users' accounts. The vulnerability is triggered when a 'viewer' role user sends a request to the server, which responds with a password reset token for another user. This token can then be used to reset the password and gain unauthorized access to the account.

Impact

Exploitation of this vulnerability allows a 'viewer' role user to hijack the account of another user by using the leaked password reset token to reset the victim's password and gain access to their account.

Reproduction

To reproduce this vulnerability, create an owner account (user-A) and add a user with 'viewer' role (user-B). User-B can then request a password reset for user-A, intercept the password reset token, and use it to reset user-A's password, effectively hijacking the account.

Remediation

Users are advised to update to Lunary version 1.2.14 or later, where this vulnerability has been fixed.