IDOR in password change page leads to administrative account takeover in kareadita/kavita


Reported on

Aug 6th 2022


The password change function doesn't properly handle the Change Password role, allowing to any user, that has this role enabled, to change the password of any user in the system, including the administrator account.

Proof of Concept

  1. 1 - Log in as a normal user that can change its own password.
  2. 2 - Send the following request:
POST /api/account/reset-password HTTP/1.1
Host: localhost:5000
Content-Type: application/json
Authorization: Bearer <user-token>

  1. 3 - The admin password is changed successfully idor


An attacker can change the password of any user in the system, including the administrator, which leads to the application takeover.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 2 years ago
kareadita/kavita maintainer has acknowledged this report 2 years ago
Joe Milazzo validated this vulnerability 2 years ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Milazzo
2 years ago


Fixed locally

Joe Milazzo marked this as fixed in with commit 9c31f7 2 years ago
Joe Milazzo has been awarded the fix bounty
AccountController.cs#L79 has been validated
to join this conversation