Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.
This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
References 3
https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c3788…
security-advisories@github.com
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2
security-advisories@github.com
https://vikunja.io/changelog/vikunja-v2.1.0-was-released
security-advisories@github.com