V2Board and Xboard Authentication Token Exposure Vulnerability Allowing Unauthenticated Account Takeover

A vulnerability exists in V2Board versions 1.6.1 prior to 1.7.4 and in Xboard versions through 0.1.9. When the 'login_with_mail_link_enable' feature is active, the 'loginWithMailLink' endpoint exposes authentication tokens in the HTTP response body. Unauthenticated attackers can exploit this by sending a POST request to the 'loginWithMailLink' endpoint with a known email address. The response includes a magic login link containing a verification token, which can be exchanged at the 'token2Login' endpoint for a valid bearer token. This token grants full access to the user's account, including admin privileges.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including those of administrators, with the ability to access sensitive user data and perform administrative actions.

Reproduction

To reproduce this vulnerability, first ensure that the 'login_with_mail_link_enable' feature is activated in the admin panel. Then, send a POST request to the 'loginWithMailLink' endpoint with a valid email address. The response will include a magic login link with a verification token. This token can be exchanged at the 'token2Login' endpoint for a bearer token, which provides access to the user's account.

Remediation

Users can update to V2Board versions 1.7.5 or later, or to Xboard versions 0.2.0 or later, where this vulnerability has been patched.