Insufficient Granularity of Access Control in pixelfed/pixelfed
Oct 9th 2021
There is no rate limit sent unlimited email victim or any email address.
Proof of Concept:
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.
Attacker can sent unlimited email to any mail address .
'throttle' => 60, to auth.php config or
$this->middleware('throttle:3,1') to the forgot password controller construct.