Password token validation in https://demo.weblate.org/
Unknown
Vulnerability Details
Hi team,
I noticed that when requesting multiple reset links at https://demo.weblate.org/ all tokens are valid and can be used.
In numerous applications the following policy is adopted as an additional security measure:
- keep valid only that token with shorter lifetime (last requested)
or
- invalidate all reset links generated after successful use of one of these tokens
Please check it.
Actions
View on HackerOneReport Stats
- Report ID: 229987
- State: Closed
- Substate: resolved
- Upvotes: 2