Reset password more than once with a reset link #2
Unknown
Vulnerability Details
Sequel to the fix on #243594, this is still possible.
##Reproduction Steps
1. Request password reset
- Load the link in email and set a new password
- Navigate to https://demo.weblate.org/accounts/reset/
- Fill the email and captcha
- You'll be prompted to enter a new password
NOTE: I figured that if action is not performed after a few minutes, then this doesn't work.
I suggest you make the link expire after use than setting a time frame.
Best!
Actions
View on HackerOneReport Stats
- Report ID: 245450
- State: Closed
- Substate: resolved
- Upvotes: 6