Vikunja Password Reset Logic Flaw Allows Account Reactivation for Disabled Users

A vulnerability in Vikunja's password reset process prior to version 2.2.0 enables disabled users to reactivate their accounts. The issue arises because the 'ResetPassword()' function automatically changes the user's status to 'Active' after a password reset, without checking if the account was previously disabled by an administrator. This flaw allows disabled users to bypass account restrictions and regain access. The vulnerability is present in Vikunja versions through 2.1.0.

Impact

Exploiting this vulnerability bypasses administrator-imposed account disablement, allowing disabled users to regain access to their accounts and associated resources.

Reproduction

To reproduce this vulnerability, first create a standard user account and then disable it through the admin panel or by directly modifying the database. After confirming that the account is disabled, send a password reset request for the disabled account. Once the reset token is received, use it to reset the password. After resetting, the account will be reactivated, allowing access to the previously disabled user.

Remediation

Users can update to Vikunja version 2.2.0 or later, where this vulnerability has been patched.