+ "details": "### Summary\n\nThe LoginLink signature used for password reset URLs covers only the user's `id` — it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who intercepts or caches the original link can log in as the user even after the password has been changed.\n\n### Details\n\n`config/packages/security.yaml:73-78` configures the login link:\n\n```yaml\nlogin_link:\n check_route: link_login_check\n signature_properties: ['id']\n lifetime: 900\n max_uses: 3\n```\n\nThe HMAC signature covers only `id`, not `password`, `username`, or `email`. The effective lifetime for password reset links is extended to 3600 seconds by `PasswordResetController.php:106-119` via `getPasswordResetRetryLifetime()`.\n\nAfter the first successful use (where the user sets a new password), the `__pw_reset__` session flag is cleared by `WizardController.php:105`. Subsequent uses of the same link bypass the forced-password-reset wizard and grant a normal authenticated session.\n\nSymfony's `LoginLinkHandler::consumeLoginLink` decrements a per-link counter but allows up to 3 total uses. Re-issuing a new link does not invalidate the old one.\n\nThe same vulnerability affects `UserLoginLinkCommand.php:77`, which generates admin-on-demand login links with the same signature scheme.\n\n### PoC\n\n**Step 1 — Generate a password reset link:**\n\n```bash\ndocker exec <kimai_container> bin/console kimai:user:login-link <username>\n```\n\n**Step 2 — Use the link to log in and change the password.**\n\n**Step 3 — Open the same link in a different browser or incognito session.**\n\nThe link logs the attacker in as a fully authenticated user, despite the password having been changed in Step 2.\n\n**Step 4 — The link works a third time (3 total uses within 1 hour).**\n\n### Impact\n\nA password reset link that leaks through any of the following channels remains a valid authentication credential even after the legitimate user has changed their password: corporate mail-relay scanners that pre-click links (Microsoft Defender ATP, Mimecast, Barracuda), shared inboxes, browser history sync across devices, HTTP referrer headers, or proxy/WAF logs. The user believes they have secured their account by setting a new password, but the leaked link still grants full access for up to 2 additional uses within the hour.\n\n# Solution\n\nLogin links now also use the `password` hash for generating the signature, which will immediately expire the link after the user changed the password.\n\nRead <https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj> for more information.",
0 commit comments