← back
CVE-2025-56676

CVE-2025-56676

CVSS 5.4 MEDIUMEPSS 0.3%CWE-1259
In short

TitanSystems Zender v3.9.7 has a flaw in its password reset feature where a reset token meant for one user can be used to log into any other user's account. An attacker can take over accounts by exploiting this broken validation, gaining unauthorized access to sensitive information.

Technical detail

The password reset functionality fails to properly validate the linkage between reset tokens and user accounts (CWE-1259: Improper Validation of Specified Quantity in Input). An attacker can intercept or obtain a reset token issued to one user and apply it to another user's account during login, bypassing authentication and achieving account takeover. This enables unauthorized access and privilege escalation without requiring the target user's credentials.

Summary generated and translated by AI from the official description.
TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user, due to improper validation of token-user linkage. This allows remote attackers to gain unauthorized access to any user account by exploiting the password reset mechanism. The vulnerability occurs because the reset token is not correctly bound to the requesting account and is accepted for other user emails during login, enabling privilege escalation and information disclosure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://codecanyon.net/item/zender-android-mobile-devices-as-sms-gateway-saas-platform/26594230https://darklotus.medium.com/cve-2025-56676-critical-vulnerability-in-zender-gateway-allows-account-takeover-2b5bcb50c762https://previews.titansystems.ph/zender/dashboard/auth