Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrNehalr7771B1FA915-D588-4BB1-9E82-6A6BE79BEFED
HistoryMay 04, 2023 - 12:20 p.m.

No rate limit on send report functionality results in an email spam

2023-05-0412:20:27
nehalr777
www.huntr.dev
5
security
email spam
rate limit
attack
proof of concept
bug bounty

EPSS

0.001

Percentile

33.2%

JSON

Description

There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification 
2) Click on daily frequency for Send me a backup status report 
3) Turn on your intercept and capture the request while you Click the Save and send report button . 
4) Send this report to the repeater and send the same request 100 times .
5) You will see that the mailbox has been spammed

Related

github 1
cve 1
nvd 1
osv 2
prion 1
cvelist 1
veracode 1
github
github
RDiffWeb vulnerable to Allocation of Resources Without Limits or Throttling
2023-08-03 18:30:35
cve
cve
CVE-2023-4138
2023-08-03 15:15:36
nvd
nvd
CVE-2023-4138
2023-08-03 15:15:36
osv
osv
RDiffWeb vulnerable to Allocation of Resources Without Limits or Throttling
2023-08-03 18:30:35
CVE-2023-4138
2023-08-03 15:15:36
prion
prion
Design/Logic Flaw
2023-08-03 15:15:00
cvelist
cvelist
CVE-2023-4138 Allocation of Resources Without Limits or Throttling in ikus060/rdiffweb
2023-08-03 13:41:50
veracode
veracode
Email Spamming
2023-08-07 02:18:37

EPSS

0.001

Percentile

33.2%

JSON
Related for 1B1FA915-D588-4BB1-9E82-6A6BE79BEFED
github1cve1nvd1osv2prion1cvelist1veracode1