Darklotus

Name of the Vulnerable Software and Affected Versions TitanSystems Zender version 3.9.7 Description TitanSystems Zender version 3.9.7 has an account takeover issue in its password reset feature. A temporary password or reset token for one user can be used to log in as another user because of incorrect validation of the token-user connection. This allows remote attackers to gain unauthorized access to user accounts by exploiting the password reset mechanism. The issue happens because the reset token is not correctly linked to the account requesting it and is accepted for other user emails during login, enabling privilege escalation and information disclosure. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.