password token validation
Low
Vulnerability Details
Hello,
when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully.
Steps:
1) go to the password reset page and request more than one request.
2) go to your email and use the first reset link.
3) you can change password successfully.
Please check it,
Thanks.
Actions
View on HackerOneReport Stats
- Report ID: 275242
- State: Closed
- Substate: informative
- Upvotes: 3