Skip to content

Password reset is vulnerable to injection attack #4

Open
Open
Password reset is vulnerable to injection attack#4

Description

@samiy803
samiy803
opened on Apr 12, 2023

We should not rely on the client's action URL since this allows an attacker to send reset tokens to their own server

TurboCore/api/src/auth/reset_password.rs

Line 89 in c01ae6d

let action_url = format!("{}?token={}", body.reset_url, reset_token);

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions