[pydotorg-www] [PSRT] Bug in website

Victor Stinner vstinner at python.org
Thu Apr 8 08:42:38 EDT 2021


The security at python.org list got this report. Would you mind to review it?


On Sat, Mar 20, 2021 at 5:24 PM shubham more
<shubhammore262001 at gmail.com> wrote:
> Hii Team,
> I found vulnerbablity in website is Account takeover through change email.
> in change email without any cureent password conformation it can easily
> change /account takeover
> steps to reproduce:
> 1)go to website https://www.python.org/accounts/login/
> ex:Email:woyoj53697 at heroulo.com
> 2)create new account and login
> 3)go to account ->click of Edit profile
> 4)click on edit profile page email address to new:woyuRaj at 12345.com
> 5)click on save profile->after email change signout account
> 6)login new email address with old password also you can forget password
> ->forget password link send new email
> 7)then sign account
> Result Account takeover through change email.
> Impact:
> attacker easily takeover account
> poc:screenshot
> Thank you.
> _______________________________________________
> PSRT mailing list -- psrt at python.org
> To unsubscribe send an email to psrt-leave at python.org
> https://mail.python.org/mailman3/lists/psrt.python.org/
> Member address: vstinner at python.org

Night gathers, and now my watch begins. It shall not end until my death.

More information about the pydotorg-www mailing list