Name of the Vulnerable Software and Affected Versions OpenCFP (affected versions not specified)

Description The issue concerns the third-party authentication framework Sentry, developed by Cartalyst, which is used in OpenCFP. It stems from how Sentry handles password reset checks, specifically when users lack a password reset token stored in the database, resulting in NULL in the reset password code column. This could allow unauthorized manipulation of any OpenCFP user's password, particularly those without an unused password reset token. Successful exploitation still requires correlating the numeric user ID with an email address, but identifying likely organizers (typically users with IDs 1-5) may facilitate this process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.