Description

An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw

Proof of Concept

First of all let us consider a scenario where a user has left his account open on a public device (library or cafe) and attacker gets access to that device 

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa , click on disable 2FA . Sadly , the verification code is sent on the users email and you cant get access to it
2) Lets dive into an application logic flaw.
3) Attacker will go to https://rdiffweb-dev.ikus-soft.com/prefs/general change email from user email to attacker email and save changes
4) He will go back to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and now click on disable 2FA again . 
5) As the email associated with the account is attackers email , he will receive the verification link 
6) He can go ahead and disable 2FA now.

POC:
https://drive.google.com/file/d/1iA_JSlhwCLt54IIpRHx2Ey9yt1Sltchq/view?usp=sharing