Headline
CVE-2023-4138: No rate limit on send report functionality results in an email spam in rdiffweb
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0.
Description
There is no rate limit on the send report feature on the https://rdiffweb-dev.ikus-soft.com/prefs/notification endpoint , which allows an attacker to spam the victims mailbox
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/notification
2) Click on daily frequency for Send me a backup status report
3) Turn on your intercept and capture the request while you Click the Save and send report button .
4) Send this report to the repeater and send the same request 100 times .
5) You will see that the mailbox has been spammed
Impact
Due to lack of rate limit this may create an email spam attack or may put immense load on the mail server being used causing additional expenses for the organisation
Related news
GHSA-wwrg-2w5j-grvx: RDiffWeb vulnerable to Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0.