Description

During my test, I found that in Cockpit v 2.1.2, the application was not validating the request after password change. This allows attacker to update user account details even after admin changes password.

Steps to Reproduce :

1. Login with your account and click on click on “Account Settings” and update your details and intercept the request in Burpsuite/Owasp Zap.
2. Now change your account password and try changing your account details from from the request we just captured before changing password.
3. You will notice that the application returns following response.
4. {“error”: “401”, “message”:“Unauthorized request”}
5. Now refresh the page. You will notice that our admins account details have successfully changed.

Proof Of Concept: https://drive.google.com/file/d/1yqwYB1o8jfXtPUTgQ_yzI_sRqkfAyXx3/view?usp=sharing