effectindex/tripreporter vulnerable to improper password verification on POST `/api/v1/account/login`
Description
effectindex/tripreporter is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of effectindex/tripreporter, e.g. subjective.report, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of subjective.report, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2< commit bd80ba833b9023d39ca22e29874296c8729dd53b+ 1 more
- (no CPE)range: < commit bd80ba833b9023d39ca22e29874296c8729dd53b
- (no CPE)range: < bd80ba833b9023d39ca22e29874296c8729dd53b
Patches
Vulnerability mechanics
Root cause
"The password verification logic incorrectly uses a hardcoded string instead of the user's actual password."
Attack vector
An attacker can exploit this vulnerability by sending a POST request to the `/api/v1/account/login` endpoint with a username and a password that meets the instance's password requirements [ref_id=1]. The system will then incorrectly validate the password against a fixed string, allowing the attacker to log in as any user [ref_id=1]. This grants unauthorized access to accounts and can lead to data loss [ref_id=1].
Affected code
The vulnerability exists in the `AccountPostLogin` function within the `api/account.go` file [ref_id=1]. Specifically, the password validation logic was flawed prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b [ref_id=1].
What the fix does
The patch modifies the `AccountPostLogin` function by changing the call from `a1.ValidatePassword(account.Password, "Password")` to `a1.VerifyPassword(account.Password)` [ref_id=1]. This change ensures that the user's provided password is used for verification instead of a hardcoded string, correctly preventing unauthorized logins.
Preconditions
- authThe attacker must have an account on the affected instance of effectindex/tripreporter.
- inputThe attacker must know or guess a password that meets the instance's password requirements.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53bmitrex_refsource_MISC
- github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.