Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...