blueprintUE Password Reset Token Expiry Vulnerability

A vulnerability exists in blueprintUE versions prior to 4.2.0, where password reset tokens are generated and stored alongside a timestamp indicating when the reset was requested. The token redemption process only verifies the email and token combination, without checking if the timestamp has surpassed a maximum allowable period. As a result, tokens remain valid indefinitely until used or replaced by a new reset request. This issue allows for unauthorized password changes if a token is obtained after a significant delay.

Impact

This vulnerability could lead to unauthorized password resets, allowing an attacker to gain access to a user's account by exploiting the indefinite validity of the reset token.

Reproduction

To reproduce this vulnerability, request a password reset for a user account. After receiving the reset email with the token, do not use the token immediately. Instead, wait for 24 hours or longer, and then submit a password reset request using the expired token. The password will be successfully changed, demonstrating that the token was still valid despite being old.

Remediation

Users should update to blueprintUE version 4.2.0 or later, where this vulnerability has been fixed.