You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
go again on login page & request a another password reset link
now use the old reset link to reset the password which is sent in step 2
link is working ! password is reset
Explanation :-
Suppose at 07:00 hrs I used password reset options of beancount.io and got a token on my email. Lets call it token 01. But i did not use it.And at 07:02 hrs I used again the password reset option and got a new token, which is token 02. Now generally after the issuance of token 02, the previous unused token should expire. But in case of beancount.io , its not happening
Mitigation :-
All unused tokens should expire automatically after the issuance of a new token
Please Fix the issues
Thanks & Regards,
Amit kumar
The text was updated successfully, but these errors were encountered:
Hello Security Team
I would like to report security issue
Vulnerability Details :-
Vulnerable link : https://beancount.io/forgot-password
Vulnerability Name : Password reset Link is not expiring after getting a new reset link
Steps to reproduce :-
Explanation :-
Suppose at 07:00 hrs I used password reset options of beancount.io and got a token on my email. Lets call it token 01. But i did not use it.And at 07:02 hrs I used again the password reset option and got a new token, which is token 02. Now generally after the issuance of token 02, the previous unused token should expire. But in case of beancount.io , its not happening
Mitigation :-
All unused tokens should expire automatically after the issuance of a new token
Please Fix the issues
Thanks & Regards,
Amit kumar
The text was updated successfully, but these errors were encountered: