+ "details": "### Summary\nA Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.\n\n### Details\nThe vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.\n\nSpecifically, the sensitive token is embedded in:\n<input type=\"hidden\" name=\"code\" value=\"[SECRET_TOKEN]\">\n\nBecause this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.\n\n### PoC\n1. The attacker asks for a password reset for the victim\n\n<img width=\"1328\" height=\"580\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0197907e-f10b-4e6d-989e-f25c408862cd\" />\n\n<img width=\"1139\" height=\"452\" alt=\"image(1)\" src=\"https://github.com/user-attachments/assets/9a317b27-b56a-4663-9965-d3e660713f4e\" />\n\n\n2. The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML.\n<img width=\"917\" height=\"220\" alt=\"image(2)\" src=\"https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348\" />\n\n3. With this code, the attacker is able to use it in order to reset the victim password.\n<img width=\"1335\" height=\"711\" alt=\"image(3)\" src=\"https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d\" />\n\n<img width=\"1258\" height=\"524\" alt=\"image(4)\" src=\"https://github.com/user-attachments/assets/d1304dc3-bf56-4ec7-920c-ecce502db6b0\" />\n\n4. The attacker is able to login with the new password.\n\n<img width=\"1514\" height=\"631\" alt=\"image(5)\" src=\"https://github.com/user-attachments/assets/2533032e-6f0d-45c8-9fe1-881bfedebcc4\" />\n\n<img width=\"1528\" height=\"647\" alt=\"image(6)\" src=\"https://github.com/user-attachments/assets/a6e9144c-cc96-493d-8780-9156c299a192\" />\n\n\n\n### Impact\n- An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments