Vikunja Password Reset Token Reuse Vulnerability Allowing Account Takeover

A business logic vulnerability has been identified in Vikunja, an open-source task management platform, in versions prior to 2.1.0. The issue resides in the password reset mechanism of the Vikunja API, where password reset tokens can be reused indefinitely. This vulnerability arises from a failure to invalidate tokens after use and a critical logic error in the token cleanup cron job, allowing reset tokens to remain valid permanently. Consequently, an attacker who intercepts a reset token can exploit it for a complete and persistent account takeover, bypassing standard authentication controls.

Impact

Exploitation of this vulnerability allows for persistent account takeover, as an intercepted password reset token can be used to reset a user's password an unlimited number of times. This exploitation can occur even if the user changes their password, as the attacker can simply use the old token to reset it again. The vulnerability also creates an infinite attack window, as the faulty token cleanup cron job allows the token to remain valid forever.

Reproduction

To reproduce this vulnerability, obtain a password reset token from a user account. This can be done through phishing, or by intercepting the token from logs or browser history. Once the token is obtained, it can be used to reset the user's password. After the password is changed, the same token can be used again to reset the password, effectively taking over the account.

Remediation

Users should upgrade to Vikunja version 2.1.0, which addresses this vulnerability by ensuring that password reset tokens are invalidated after use. Instructions for upgrading are available in the Vikunja documentation.