Description
During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password.
Steps to Reproduce :
- Login with your account and click on click on “Account Settings” and update your details and intercept the request in Burpsuite/Owasp Zap.
- Now change your account password and try changing your account details from from the request we just captured before changing password.
- You will notice that the application returns following response.
- {“error”: “401”, “message”:“Unauthorized request”}
- Now refresh the page. You will notice that our admins account details have successfully changed.