rdiffweb

Valid

Reported on

Sep 29th 2022

Description

2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Do all necessary steps to successfully enable 2FA
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint 

# Impact

In case an attacker is able to disable 2FA in any means , user will remain unaware of this change

Occurrences

email_mfa.html L1-L18

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Patrik Dufresne assigned a CVE to this report a year ago

Patrik Dufresne validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the ikus060/rdiffweb team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the ikus060/rdiffweb team. This report is now considered stale. a year ago

Patrik Dufresne marked this as fixed in 2.5.0a7 with commit c27c46 a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

email_mfa.html#L1-L18 has been validated

Patrik Dufresne published this vulnerability a year ago

to join this conversation