CVE-2022-1715: Account Takeover in facturascripts

Description

Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack

Proof of Concept

1. While registering app for first use set DB password starting with “0e” and then random characters in it. so You can add any password starting with 0e
2. Goto forget password section and add username as admin and new password as “newpass”
3. Add 0 in database password
4. Send request and login with new password
5. Successfully changed password

Reference :-https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

Impact

Account takeover