A critical vulnerability has been identified in multiple products from the vendor "In," which allows a low-privileged user to take over any other user's account, including administrators. This is possible due to a flaw in the password reset function that leaks sensitive recovery tokens. Successful exploitation could lead to a complete compromise of the application, resulting in significant data breaches and unauthorized system control.

The vulnerability is an account hijacking flaw stemming from improper access control on the password reset mechanism. An authenticated but low-privileged user with a 'viewer' role can send a specially crafted request to the application. The server incorrectly processes this request and responds by leaking a valid password reset token for another user. An attacker can then use this leaked 'recoveryToken' to reset the password of the victim's account and gain complete control. The root cause is an excessive attack surface that fails to validate if the user initiating the request has the authority to perform a password reset action on behalf of another user.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Exploitation allows for privilege escalation, enabling an attacker with minimal access to gain full administrative control over the application. The potential consequences include unauthorized access to and exfiltration of sensitive data, manipulation of critical information, and disruption of business operations. This poses a severe risk to the organization's data confidentiality, integrity, and availability, and could lead to significant reputational damage and regulatory penalties.

Immediate Action: Immediately apply the security updates provided by the vendor to patch all affected instances of "In Multiple Products" to the latest version. After patching, review access logs for any signs of compromise or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor application and server logs for anomalous activity related to the password reset function. Specifically, look for an unusual volume of password reset requests originating from low-privileged accounts (e.g., 'viewer' roles) or requests that result in the exposure of a 'recoveryToken' in the server response. Correlate these events with subsequent login activities from different IP addresses or locations.

Compensating Controls: If immediate patching is not feasible, consider the following temporary measures:

• Implement a Web Application Firewall (WAF) rule to block the specific request pattern used to trigger the token leak.
• Temporarily restrict or disable the permissions for 'viewer' roles to access the password reset functionality.
• Enforce Multi-Factor Authentication (MFA) for all accounts, especially privileged ones, as this may hinder an attacker's ability to use a stolen password alone.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for a low-privileged user to achieve a full system compromise, this vulnerability represents a significant and immediate threat. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches across all affected systems without delay. While this CVE is not yet on the CISA KEV list, its severity warrants treating it with the highest urgency to prevent potential account takeovers and subsequent data breaches.