You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability Type: Broken Access Control / Function Level Authorization Bypass (CWE-284)
Vulnerability description and hazards: The user password reset endpoint allows any authenticated low-privilege user to reset another account's password by ID. The actual reproduction report shows that low permissions account resets the password of user id = 2, and the before/after user list diff confirms that the target account's stored password hash changes even though the attacker lacks the expected user-management permission boundary.
id = 2, and the before/after user list diff confirms that the target account's stored password hash changes even though the attacker lacks the expected user-management permission boundary.