Saleor Cross-Account Email Change Vulnerability via Unbound Confirmation Token

A business-logic and authorization flaw exists in Saleor's email change workflow. The issue is present in versions 2.10.0 prior to 3.23.0a3, as well as in versions 3.22.47, 3.21.54, and 3.20.118. The vulnerability arises because the confirmation flow does not verify that the email change token was issued for the authenticated user. This allows a valid token from one account to be reused on another account, changing the email address to one controlled by the attacker. This flaw can lead to unauthorized account access by allowing an attacker to hijack a user's email, facilitating a password reset and account recovery.

Impact

Exploitation of this vulnerability allows an authenticated user to change the email address of another user to one controlled by the attacker, effectively taking over the victim's account. This is achieved by reusing an email change token that was not originally issued to the account being modified. The vulnerability directly compromises the integrity of user accounts, potentially leading to unauthorized access and account takeover.

Reproduction

To reproduce this vulnerability, first request an email change for an account, which will generate a confirmation token. This token can then be used to change the email address of a different account, as the system does not verify the token's validity for the user.

Remediation

Users can update to Saleor versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118 to address this vulnerability.