Invia #622186: atjiu https://github.com/atjiu/pybbs <=6.0.0 Enumerate registered emailsinformazioni

Titoloatjiu https://github.com/atjiu/pybbs <=6.0.0 Enumerate registered emails
DescrizioneIn the latest v6.0.0 version, the endpoint /api/settings/sendEmailCode has a logic issue. The error message indicates that the email has already been registered, and there are no security measures such as rate limiting or CSRF protection. This allows attackers to exploit this error message to brute-force registered users' emails, thereby leaking the email addresses of registered users.
Fonte⚠️ https://github.com/atjiu/pybbs/issues/202
Utente
 ZAST.AI (UID 87884)
Sottomissione25/07/2025 03:33 (11 mesi fa)
Moderazione04/08/2025 15:05 (10 days later)
StatoAccettato
Voce VulDB318677 [atjiu pybbs fino a 6.0.0 Registered Email SettingsApiController.java sendEmailCode email rivelazione di informazioni]
Punti19

PrecedenteVisione D'ensembleIl prossimo

Want to know what is going to be exploited?

We predict KEV entries!