We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Insufficient Granularity of Access Control in thedevdojo/wave

Valid

Reported on

Oct 9th 2021

Description:

There is no rate limit sent unlimited email victim or any email address.

Proof of Concept:

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

Impact:

Attacker can sent unlimited email to any mail address .

Solution:

Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.

References:

https://apisecurity.io/encyclopedia/content/owasp/api4-lack-of-resources-and-rate-limiting.htm

Z-Old
2 years ago

Admin

Hey HDVinnie, I've opened a PR asking for a security policy.

HDVinnie
2 years ago

Researcher

@Ziding Zhang thanks. Looks like the PR has been accepted. Hopefully the maintainer will get an email now and respond here.

HDVinnie
2 years ago

Researcher

@admin the PR has been merged with a valid email address....can you please force send the disclosure email with the magic link?

Iskam Website validated this vulnerability 2 years ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Iskam Website marked this as fixed with commit 6201d6 2 years ago
Iskam Website has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation