Vulnerability Report: NO RATE LIMIT Password RESET

| **CAUTION** : External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. | * * * Vulnerability Description: There is no limit for number of password reset that are being sent to the user This may lead for attacker to send unlimited no of OTP to the user if he/she get the user session How to Reproduce this vulnerability: Visit: [https://home.mcafee.com/secure/protected/login.aspx?rfhs=1](https://home.mcafee.com/secure/protected/login.aspx?rfhs=1) 1. signup if you dont have acount 2. now logout if youre logged in 3. open burp and select intercept on 4. catch the traffic using burp intecept and now forward until you get the otp section and now right click send this to sequencer 5. click on start live capture 6. you can see in mail that u get no of otp request even if you stop the sequencer it wont stop because the requests are already sent Proof of Concept: proofs are enclosed inthe attachments below ## Impact E-mail bombs hack may create Denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space