Statamic Password Reset Feature Vulnerability Leading to Account Takeover

A vulnerability allowing account takeover via password reset link injection has been identified in Statamic CMS versions prior to 6.3.3 and 5.73.10. This issue arises in the password reset feature, where an attacker can capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account and the user must click the reset link in their email, even if they did not request a password reset.

Impact

Exploitation of this vulnerability allows an attacker to reset the password of a user, effectively taking over their account.

Reproduction

To reproduce this vulnerability, an attacker must know the email address of a valid user account. They can then initiate a password reset request, which will be sent to the user's email. The user must be tricked into clicking the reset link, after which the attacker can use the captured token to reset the user's password and gain access to their account.

Remediation

Users can upgrade to Statamic versions 6.3.3 or 5.73.10 to address this vulnerability.