Primary

Context

Wallos Password Reset Token Expiration Vulnerability

Vulnerability

Patched

A vulnerability in Wallos, a personal subscription tracker, allows password reset tokens to remain valid indefinitely. The issue affects versions through 4.6.2. Although the 'password_resets' table includes a 'created_at' timestamp, the token validation process does not consider it. As a result, an intercepted reset link can be used at any time, potentially leading to unauthorized account access.

Impact

Exploitation of this vulnerability allows for indefinite validity of password reset tokens, enabling account takeover if a token is intercepted or accessed after being issued.

Reproduction

To reproduce this vulnerability, request a password reset which will generate a token stored in the database with a timestamp. The token can then be used at any later time to reset the password, regardless of how much time has passed.

Remediation

Users are advised to update to Wallos version 4.7.2, where this vulnerability has been fixed.

Added: Mar 24, 2026, 7:33 PM

Updated: Mar 24, 2026, 7:33 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.0

remediation

7.7

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.0

remediation

7.7

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wallos Password Reset Token Expiration Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ellite Wallos

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating