3 May
2024
3 May
'24
11:57 a.m.
On Fri, 3 May 2024 11:33:22 +1200, Peter Reutemann quoted:
'... the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.'
This phrasing is a bit confusing. What I think it means is that an attacker can trigger the sending of a password-reset message to any email address they choose; the message contains a link that they can then click on to take over the Gitlab account. That certainly deserves a 10 out of 10 score.