Creativeitem Academy LMS Password Reset Token Brute Force Vulnerability

A vulnerability exists in Creativeitem Academy LMS versions 5.13 and prior, where password reset tokens are generated using predictable patterns based on Base64-encoded templates. This lack of randomness, combined with the absence of rate limiting on reset attempts, allows attackers to brute force tokens, potentially compromising user accounts, including those of administrators.

Impact

Exploitation of this vulnerability allows for brute forcing of password reset tokens, unauthorized access to user accounts, and the ability to reset passwords for administrative accounts, leading to full system access.

Reproduction

The vulnerability can be reproduced by first generating a list of possible password reset tokens for a target email address. This is done by encoding the email address with a predictable template string and a timestamp into a Base64 format. After generating these tokens, an automated script can be used to attempt to reset the password by sending a request with the brute-forced token. If the token is valid, the password can be changed, effectively taking over the account.

Remediation

To address this vulnerability, it is recommended to implement cryptographically secure token generation, add rate limiting for password reset attempts, and ensure tokens expire after a short period. Additionally, storing tokens in a hashed format rather than plaintext can enhance security.