CVE-2023-31123: 
vulnerability analysis and mitigation

CVE-2023-31123 affects effectindex/tripreporter, a community-powered platform for submitting and analyzing trip reports. The vulnerability was discovered and patched on April 30, 2023. The issue allows any user with a password matching the password requirements to log in as any user on an instance of effectindex/tripreporter, such as subjective.report, due to improper password verification (GitHub Advisory).

The vulnerability stems from an improper authentication implementation in the login endpoint POST /api/v1/account/login. The issue was caused by using ValidatePassword instead of VerifyPassword function for password verification. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability allows unauthorized access to user accounts, potentially leading to data loss and account compromise. Any user with valid password requirements could gain access to any other user's account on the platform (GitHub Advisory).

The vulnerability has been patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. Users of subjective.report require no action as the patch has been applied. Administrators running their own instances should update to this commit or newer immediately. As a workaround, instances can manually apply the patch that changes ValidatePassword to VerifyPassword in the authentication code (GitHub Patch, GitHub Advisory).