Known social publishing platform is vulnerable to full account takeover because password reset tokens are leaked to unauthenticated attackers via the password reset page.

The application incorrectly includes the password reset token within a hidden HTML input field on the reset request page. This allows any unauthenticated attacker to capture the token by querying a target's email address, bypassing the need for email inbox access.

This vulnerability poses a critical risk to user privacy and platform integrity, as it facilitates unauthorized access to any account, including administrative profiles. Such an exploit could lead to complete site defacement, data theft, and loss of user trust. The CVSS score of 9.8 underscores the ease of exploitation and the severe impact on account security.

Immediate Action: Update the Known installation to version 1.6.3 or later immediately to ensure password reset tokens are no longer exposed in the browser.

Proactive Monitoring: Monitor web server logs for a high volume of requests to the password reset endpoint, which may indicate an attacker attempting to harvest tokens for multiple users.

Compensating Controls: Implement rate limiting on password reset requests and consider disabling the reset feature temporarily if an immediate update is not feasible.

Public Exploit Available: false

The ability to take over any user account without authentication represents a terminal risk to the platform. Administrators must treat this as a high-priority emergency and apply the 1.6.3 patch immediately to protect the user base from unauthorized account access.