Fossasia Open-Event Server Token Encryption Oracle Vulnerability in Mail Verification Handler

A vulnerability exists in Fossasia Open-Event Server version 1.19.1 within the Mail Verification Handler component. The issue arises in the 'send_email_change_user_email' function, where the application improperly relies on obfuscation of security-sensitive inputs without adequate integrity verification. This flaw creates a token encryption oracle, allowing attackers to craft email verification tokens and bypass verification processes. The vulnerability can be exploited remotely, but the attack's complexity is high, making exploitation difficult.

Impact

Exploitation of this vulnerability allows for unauthorized email verification, enabling attackers to gain control over email accounts by falsifying verification processes.

Reproduction

To reproduce this vulnerability, register an email address that is not verified. Then, change the email address to one that is controlled by the attacker. After receiving the email update link, change the email back to the original unverified address. Finally, use the crafted email verification link with the token obtained during the email change process to verify the email address.

Remediation

It is recommended to use different secret keys for various cryptographic operations and to add a unique salt to each operation.