Description

When a user is setting up 2FA , a verification code will be sent to the registered email . There is no rate limit on email triggering that will result in an email flood / does attack or will also increase the expenses on your mail server as an attacker can send 1 million emails through this vulnerability which will add up to your cost as well

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Click on enable 2FA  . A verification link will be sent to your email
3) You will see a "Resend code to my email button" click on it and capture the request using the burpsuite proxy
4) Send this request to your burpsuite intuder and fire the same payload 1000 times
5) The registered email will receive 1000 email with verification codes