blueprintUE Password Change Vulnerability Allows Account Takeover

A vulnerability in blueprintUE prior to version 4.2.0 allows for unverified password changes, leading to permanent account takeover. The password change form at '/profile/{slug}/edit/' lacks a 'current_password' field and does not verify the user's existing password before accepting a new one. This flaw enables an attacker with a valid authenticated session—gained through methods like XSS, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen 'remember me' cookie—to change the account password without knowledge of the original credentials.

Impact

Exploitation of this vulnerability allows for full, irrecoverable account takeover. An attacker can change the password and email address of the victim, locking them out of their account and severing their password recovery path. This vulnerability is particularly severe when combined with the lack of session invalidation after a password change, as it allows an attacker to maintain access even if the victim attempts to regain control of their account.

Reproduction

To reproduce this vulnerability, log into an account and copy the session cookie. In a second browser, inject or use the stolen session cookie to simulate a session hijack. Navigate to '/profile/{user-a-slug}/edit/' and observe that the 'Change Password' form does not require a current password. Submit a new password without providing the old one, and the password will be changed successfully. Confirm that the original session owner can no longer log in with their original password.

Remediation

Users are advised to update to blueprintUE version 4.2.0 or later, where this vulnerability has been fixed.