CVE-2023-26984 Vulnerability Explanation: Issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. Attack Vectors: Attacker logs in with a user role, resets password, intercepts traffic, changes the id to admin or another user's id, and logs in with the new password. Affected: POST method: - - Request body: Steps to Attack: 1. Log in with low-privilege account. 2. Intercept traffic during password reset. 3. Change the id to admin id and forward the request. 4. Login with the new admin account. Discoverer: Thapanarath Khempetch Disclosure Timeline: 2023-02-25: Vulnerability discovered. 2023-02-26: Reported to MITRE corporation. 2023-03-29: CVE reserved and publicly disclosed. Reference: 1. Peppermint GitHub Repository 2. Peppermint Website