The password reset verification do not seem to contain rate limit which is implemented in the email verification on sign up.
The password reset link looks like this:
On clicking the link, it prompts to enter a new password. When the form is submitted with an invalid token, it says
That code isn't valid :/
But it is still allowed to change the password with a valid token even after many failed attempts. This let's an attacker to bruteforce the token and reset password.
This leads an attacker to reset a password of any Arxius user with the knowledge of the Username - which is visible on a uploaded post and the email address.
Send a brute force request with the below HTTP POST Request. Burp Suite Intruder is very handy with this kind of tests.
POST /api/account/password HTTP/1.1
During my tests, I saw that
PHPSESSID Cookie values can by anything. However as this is a public page, validation of these values shouldn't block us.
Hope these details are sufficient.