Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[CRITICAL] C1: Account takeover — any user can reset any other user's password #326

Description

@rubenvdlinde

Severity: CRITICAL

Location: lib/Controller/ContactpersonenController.php lines 505–581

Description:
POST /api/contactpersonen/change-password is annotated @NoAdminRequired. The only access check is that the caller is logged in — there is no verification that username in the body matches the currently authenticated user, and no current-password confirmation. Any authenticated user can supply an arbitrary username in the JSON body and overwrite that account's password.

Scenario:

POST /api/contactpersonen/change-password
{"username":"admin","newPassword":"Attacker1!"}

Sent as any non-admin user → admin password is reset → full admin takeover.

Suggested fix:

  • Drop @NoAdminRequired or add a service-layer check: username === currentUser->getUID() || isAdmin().
  • For self-service flows require current-password verification before accepting a new password.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions