Skip to content

Instantly share code, notes, and snippets.

Created January 17, 2022 10:46
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?



  • Broken Access Controls in Password Reset
  • Affected Product: DeltaRM 1.2
  • Vendor: DeltaRM
  • Severity: High
  • Vulnerability Class: Broken Access Controls
  • Status: Fixed
  • Author(s): Renato Cruz =======================================================================


It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, a user can send a JSON array with user IDs that will have their passwords reset (and new ones sent to their respective e-mail addresses).

Reproduction Steps

As an authenticated user, send the following request

POST /listes/DTsendmaildata/adm_utilisateur/send-mail.json HTTP/1.1
Cookie: PHPSESSID=*session id*
Content-Type: application/json

[*array of user ids*]


The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.

  • With the exception of public resources, deny by default.
  • Log access control failures, alert admins when appropriate (e.g. repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • JWT tokens should be invalidated on the server after logout.
  • Developers and QA staff should include functional access control unit and integration tests.

Disclosure Timeline

  • 26-10-2021: Vulnerability disclosed to DeltaRM
  • 28-10-2021: Acknowlegement from vendor
  • 11-12-2021: Fix released by the vendor
  • 10-01-2022: Retest performed, vulnerability fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment