Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
Weakness
The product does not properly “clean up” and remove temporary or supporting resources after they have been used.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Vikunja | Vikunja | * | 2.1.0 (excluding) |