Nextcloud: Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe

2016-06-17T13:39:29
ID H1:145396
Type hackerone
Reporter strukt
Modified 2016-06-19T03:51:51

Description

Hello,

The mentioned URL contains a form that, when supplied correct user emails, unsubscribes users from the newsletters they're subscribed to. If the user is not subscribed, the form returns a message that says that the user is not subscribed if this is the case.

Regards