CVE-2023-31287: 
C# vulnerability analysis and mitigation

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email and contain a token used to reset the password. The token remains valid even after the password reset and can be used a second time to change the password of the corresponding user within a 3-hour window after issuance. The token is sent as a query parameter when resetting, allowing an attacker with access to the browser history to reuse the token to take over the account (Serenity Commit, SEC Advisory).

The vulnerability exists in the password reset functionality where tokens remain valid for 3 hours after issuance, even after being used successfully to reset a password. The token is exposed in the URL as a query parameter during the reset process, making it accessible through browser history. This implementation flaw allows the token to be reused multiple times within its validity period (SEC Advisory).

An attacker with access to a user's browser history can extract the password reset token and use it to change the victim's password, effectively taking over their account. This vulnerability enables account hijacking if an attacker can access the browser history within the 3-hour token validity window (SEC Advisory).

The vulnerability was fixed in version 6.7.0 and later. The vendor recommends users either create a new project from the 6.7.0+ template or manually apply the relevant changes from the security update commit. The fix ensures that reset password tokens can only be used once (Serenity Commit).

The vulnerability was discovered and reported by Fabian Densborn from SEC Consult. The vendor, Serenity.is, expressed gratitude to Fabian Densborn and the SEC Consult Vulnerability Lab for responsibly reporting and collaborating on addressing the identified issues (Serenity Commit).