Unauthorized Password Reset

cartalyst/sentry is vulnerable to Unauthorized Password Reset. The vulnerability is due to improper handling of password reset checks in the Sentry authentication framework, which allows attackers to reset passwords for users who have NULL in their resetpasswordcode column...

OpenCFP Framework (Sentry) Account takeover via null password reset codes

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stor...