Insufficient Granularity of Access Control in attendize/attendize

Valid

Reported on

Oct 9th 2021

Description:

There is no rate limit sent unlimited email victim or any email address.

Proof of Concept:

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

Impact:

Attacker can sent unlimited email to any mail address .

Solution:

Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.

References:

https://apisecurity.io/encyclopedia/content/owasp/api4-lack-of-resources-and-rate-limiting.htm

We have contacted a member of the attendize team and are waiting to hear back 2 years ago

Johanna Cherry validated this vulnerability 2 years ago

HDVinnie has been awarded the disclosure bounty

The fix bounty is now up for grabs

Johanna Cherry marked this as fixed with commit 966576 2 years ago

Johanna Cherry has been awarded the fix bounty

This vulnerability will not receive a CVE

HDVinnie

commented 2 years ago

Researcher

@Johanna Cherry Thanks for taking the time to review and fix this. There is one more if you dont mind. https://huntr.dev/bounties/500e7046-f017-4ef5-b43e-43d6794f77d6/

to join this conversation