CVE-2026-10169
Description
The Forgot Password endpoint in OUSL-GROUP-BrinaryBrains School Student Management System allows unverified password reset and account enumeration, enabling takeover of any account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Forgot Password endpoint in OUSL-GROUP-BrinaryBrains School Student Management System allows unverified password reset and account enumeration, enabling takeover of any account.
Vulnerability
The Forgot Password endpoint in the School Student Management System (commit up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6) contains a business logic flaw. In application/controllers/Login.php, the ajax_forgot_password function accepts an email via POST and immediately resets the corresponding account's password to a random string derived from md5(rand(...)) without any verification (no CAPTCHA, security questions, email token, or current password check). The response differs between existing and non-existing emails, allowing account enumeration. This affects all versions up to the mentioned commit; the product does not use versioning [1].
Exploitation
An attacker with remote network access sends a POST request to /index.php?login/ajax_forgot_password with the target's email. The endpoint returns {"status":"true"} and changes the password in the database to a predictable (weak random) string. By sending a non-existent email, the attacker receives an HTTP 500 error, enabling enumeration of valid teacher/student/admin email addresses [1]. No authentication, rate limiting, or user interaction is required; the attack has high complexity due to the difficulty of predicting the random password, but public exploit code exists [1].
Impact
Successful exploitation allows an attacker to enumerate valid accounts and forcibly reset the password of any teacher, student, or admin account whose email is known or enumerated. The attacker can then log in as that user, gaining access to the system with the compromised user's privileges. This results in unauthorized access, potential data disclosure, and further system compromise [1].
Mitigation
As of the available references, no fix has been released by the vendor. The project was notified via an issue report but has not responded [1]. Until a patch is provided, the application is vulnerable. Administrators should consider disabling or restricting access to the forgot password endpoint, implementing proper email-based verification tokens, adding CAPTCHA, rate limiting, and ensuring responses do not reveal account existence [1].
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing verification steps in password reset flow — the endpoint immediately resets the password upon receiving any email address with no token, CAPTCHA, or confirmation."
Attack vector
An attacker sends a POST request to `/index.php?login/ajax_forgot_password` with an `email` parameter. The endpoint immediately resets the associated account's password to a random 7-character string derived from `md5(rand(100000000,20000000000))` with no CAPTCHA, security questions, email-based reset token, or original password verification [ref_id=1]. The response differs based on whether the email exists — a `{"status":"true"}` response for valid emails versus an HTTP 500 error for invalid ones — enabling account enumeration [ref_id=1]. The attack is remotely exploitable with no authentication required, though the CVSS notes high complexity.
Affected code
The vulnerable function is `ajax_forgot_password` in `application/controllers/Login.php` (lines 144–195). The supporting model file `application/models/Email_model.php` (lines 25–37) is also involved [ref_id=1].
What the fix does
No patch has been published. The project was informed via an issue report but has not responded [ref_id=1]. The advisory recommends implementing email-based reset tokens (one-time links), CAPTCHA, rate limiting, and user notification before changing passwords, as well as returning a uniform response regardless of whether the email exists to prevent enumeration [ref_id=1].
Preconditions
- authNo authentication required
- inputAttacker must know or guess a valid email address to reset a specific account
- networkNetwork access to the application's forgot password endpoint
Reproduction
Send a POST request to the forgot password endpoint with an email that exists in the database (e.g., `t_kasun@gmail.com`). Observe the JSON response `{"status":"true",...}` and note that the account's password has been changed in the database. Send a POST request with an email that does not exist (e.g., `no_such_user@example.com`). Observe the application returns an HTTP 500 Internal Server Error, revealing that the email was not found [ref_id=1].
Proof of Concept request (existing user): ``` POST /index.php?login/ajax_forgot_password HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/x-www-form-urlencoded
email=t_kasun@gmail.com ```
Proof of Concept request (non-existing user): ``` POST /index.php?login/ajax_forgot_password HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/x-www-form-urlencoded
email=no_such_user@example.com ```
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.