Journeyx jtime 11.5.4 Password Reset Token Prediction Vulnerability

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Affected Vendor and Product: - Vendor: Journeyx - Product: Journeyx (jtime) - Version: 11.5.4 2. Vulnerability Description: - Password reset tokens are generated using an insecure random source. An attacker who knows the Journeyx installation username can brute-force the password reset and change the administrator password. 3. Technical Description: - From an unauthorized perspective, a user can initiate the password reset process by clicking the “Reset Your Password” button and providing a valid username. - The password reset token is generated using the current timestamp and the user ID associated with the request. The user ID is a 128-bit UUID, which is unknown for each user created, except for the system administrator account. - During token generation, a secret key is created using the user ID between the strings “chuck” and “palahniuk”. - A list of string objects is encrypted using an XOR function, then base64-encoded. 4. Mitigation and Remediation Recommendations: - For self-hosted versions of Journeyx, it is recommended to disable user-initiated password reset functionality. - Steps to disable: 1. Log in to the Journeyx web application as an administrator. 2. Navigate to “Configuration” → “System Settings” → “Security Settings”. 3. Ensure the option “Show password reset button on login screen” is disabled. 4. Click the “Save” button. 5. Discoverer: - The vulnerability was discovered by Jaggar Henry of KoreLogic, Inc. 6. Disclosure Timeline: - January 31, 2024: KoreLogic notified Journeyx support of the vulnerability. - February 2, 2024: Journeyx confirmed receipt of vulnerability details. - February 9, 2024: Journeyx confirmed the vulnerability had been fixed in the cloud-hosted version. - July 1, 2024: KoreLogic notified Journeyx of the upcoming public disclosure. - July 9, 2024: Journeyx confirmed the fixed version number. - August 7, 2024: KoreLogic publicly disclosed the vulnerability. 7. Exploitation Example: - A Python script automates exploitation of this vulnerability by generating 50,000 tokens and brute-forcing their values. This information provides a detailed description of the vulnerability in Journeyx’s password reset process, including its impact, technical details, mitigation steps, and discoverer.

Goal Reached Thanks to every supporter — we hit 100%!

Journeyx jtime 11.5.4 Password Reset Token Prediction Vulnerability