Insufficient Granularity of Access Control in attendize/attendize


Reported on

Oct 9th 2021


There is no rate limit sent unlimited email victim or any email address.

Proof of Concept:

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.


Attacker can sent unlimited email to any mail address .


Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.


We have contacted a member of the attendize team and are waiting to hear back 2 months ago
Johanna Cherry validated this vulnerability a month ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johanna Cherry confirmed that a fix has been merged on 966576 a month ago
Johanna Cherry has been awarded the fix bounty
a month ago


@Johanna Cherry Thanks for taking the time to review and fix this. There is one more if you dont mind.