Insufficient Granularity of Access Control in pixelfed/pixelfed

Valid

Reported on

Oct 9th 2021


Description:

There is no rate limit sent unlimited email victim or any email address.

Proof of Concept:

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

Impact:

Attacker can sent unlimited email to any mail address .

Solution:

Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.

References:

https://apisecurity.io/encyclopedia/content/owasp/api4-lack-of-resources-and-rate-limiting.htm

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the pixelfed team and are waiting to hear back 2 months ago
pixelfed/pixelfed maintainer validated this vulnerability a month ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
pixelfed/pixelfed maintainer confirmed that a fix has been merged on 2609c8 a month ago
The fix bounty has been dropped