An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request.

The attacker had to log in with the user role and reset the password. Then intercept the traffic and change the id to admin role or another user. (An attacker can see the email and password of the Tickets page if they create a ticket.). After that, the attacker can log in with the new password with the admin account.

• http://localhost:5001/settings

• http://localhost:5001/api/v1/users/resetpassword

• POST

  • /api/v1/users/resetpassword
  • {"password":"P@ssw0rd","id":1}

1. peppermint version 0.2.4 (https://github.com/Peppermint-Lab/peppermint/tree/master)

1. Enter your username and password; the account must have low privileges.
2. Select View profile, select Password and intercept the traffic, fill out the new password.
3. Change the id to admin id and forward the request.
4. Now you can login with admin account.

Thapanarath Khempetch

• 2023–02–25: Vulnerability discovered.
• 2023–02–26: Vulnerability reported to the MITRE corporation.
• 2023–03–29: CVE has been reserved.
• 2023–03–29: Public disclosure of the vulnerability.

Reference:

3. https://github.com/Peppermint-Lab/peppermint/tree/master

4. https://peppermint.sh/