420 – Password reset poisoning

Description

The application generates password reset links improperly, allowing an attacker to manipulate the request by changing the domain to one under his control.

Impact

Compromising user accounts.

Recommendation

Ensure that password change URLs are not disposed in client-side requests.

Threat

Attacker without authentication from the Internet.

Expected Remediation Time

1440 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: A

Requirements

• 173 - Discard unsafe inputs
• 238 - Establish safe recovery

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/21