No rate limiting on the reset password page will lead to a DOS attack and inbox flooding for any user in kiwitcms/kiwi

Valid

Reported on

Nov 24th 2022

Description

I can use this attack to take advantage of the reset password confirmation mechanism and send a large number of emails to anyone simply because I know his email address, as well as perform a DoS attack by draining the resources of the SMTP service and the web server.

Proof of Concept

// PoC.js
https://1drv.ms/v/s!AjTDEH9wRz1ugRE6IG1N-CHkvXml?e=mhTsF6

Impact

I can deny service, and the server will drain the SMTP resources and flood the email inboxes of any user for whom I have his email, and all of his email will be sent from the kiwitcms.org site, destroying the company's reputation.

Occurrences

Set a limit of number of messages sent per minute.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. 4 months ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 4 months ago
Ahmed
4 months ago

Researcher

@admin Any update?

Ahmed
3 months ago

Researcher

@admin Any updates?

Pavlos
2 months ago

Admin

No update, feel free to reach out via other channels

kiwitcms/kiwi maintainer validated this vulnerability a month ago
Ahmed Rabeaa Mosaa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer marked this as fixed in 12.0 with commit 761305 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 20th 2023
test_views.py#L397 has been validated
Ahmed
a month ago

Researcher

Can you assignee a CVE

kiwitcms/kiwi maintainer published this vulnerability a month ago
to join this conversation