Missing Release of Resource after Effective Lifetime in Answer - CVE-2024-41890
Published: August 20, 2024
Answer
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists within the password reset functionality, which does not invalidate the old password reset link after sending a new one. A remote attacker can generate multiple password reset requests and increase the chance of a successful token brute-force, leading to account takeover.