2FA is bypassed right after password reset

[DocSneider]

Summary

After Password Reset, the 2FA is not called and the user gets logged in directly.

Details

When using the "built-in authentication" and receiving a password reset link, the 2FA (TOTP) will be bypassed after changing the password, even if 2FA is forced for all users.

If logging out and in again, the 2FA check is called again.

PoC

1. Ensure the "enforce 2FA" is activated
2. Getting password reset email from: https://wiki.internal/login#forgot
3. Change password via link from Mail
4. Getting logged in directly into the wiki ➡️ 2FA page will NOT pop up
5. Logging out
6. Logging in, entering password ➡️ 2FA code is required to login (so normal behavior again)

Impact

If an attacker gets access to a users mail account, he can reset the password and login without 2nd factor.
This completely circumvents the intended protection provided by 2FA.

(Already reported this in https://github.com/requarks/wiki/security/advisories/GHSA-xj3p-gj3h-jf58 on 08.01.2025)