No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers

Disclosed: 2016-06-19 12:16:42 By aaron_costello To nextcloud

Unknown

Vulnerability Details

The lack of a captcah or verificationcodeX (it's empty) in your phplist configuration allows attackers to use this mail for to send as much spam as they like to victims. I did not reach an email sending limit when I had tested this. PoC images below: Burp suite automated requests: https://gyazo.com/2b171479a41086057db0f4f2b3f30eea Result in inbox: https://i.gyazo.com/347f5cd8c94a5715db72f959640ec7a1.png

Actions

View on HackerOne

Report Stats

Report ID: 145612
State: Closed
Substate: resolved
Upvotes: 3

No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers

Vulnerability Details

Actions

Report Stats

Share this report