- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by saitan_op - 10.07.2025
Last edited by cbay - 11.07.2025
Opened by saitan_op - 10.07.2025
Last edited by cbay - 11.07.2025
FS#194 - Rate Limiting Missing on Critical Endpoint – Financial and Availability Risk
The password reset endpoint on admin.alwaysdata.com lacks rate limiting, allowing an attacker to flood a user’s inbox with hundreds or thousands of password reset emails in a short time.
I was able to generate 500+ emails within 30 minutes using Burp Community Edition. An attacker using Burp Pro or custom tools could easily escalate this to thousands of emails in seconds, causing email service abuse, financial impact, and potential denial of service for legitimate users.
This vulnerability could damage the company’s reputation, lead to increased email costs, and affect email delivery reliability for all users.
PoC and screenshot included in the attached PDF report.
Vulnerability Report.pdf
(640.8 KiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
None of those have been demonstrated by your report.
Kind regards,
Cyril