Drugs.com: 2FA Bypass leads to impersonation of legimate users

The authentication system contained a logic flaw that allowed an attacker to impersonate a legitimate user who had not yet registered. By abusing the email change functionality and bypassing two-factor authentication, the attacker could retain access to the account until the legitimate user reset...

GHSA-65P7-PJJ8-GGMR Member account takeover

Impact An error in the implementation of the member email change functionality allows unauthenticated users to change the email address of arbitrary member accounts to one they control by crafting a request to the relevant API endpoint, and validating the new address via magic link sent to the ne...