提出 #851624: Mettle sendportal Latest Improper Authentication情報

タイトルMettle sendportal Latest Improper Authentication
説明Full technical report, proof-of-concept requests, screenshots, database evidence, logs, and reproduction artifacts are available at: [https://drive.google.com/drive/folders/1yfzkZGXsP8tS2v3LvMr5vMfhTfURtiS0?usp=sharing] Title: Unauthenticated Forged SendGrid Webhooks Allow Subscriber Suppression Due to Missing Signature Verification Vendor: Mettle Product: SendPortal Affected Version: Latest Class: Authentication Bypass / Insufficient Verification of Data Authenticity CWE: CWE-345 – Insufficient Verification of Data Authenticity Summary A vulnerability exists in SendPortal's webhook processing functionality where provider webhook events are accepted and processed without validating their authenticity. The SendGrid webhook endpoint accepts unsigned requests and processes them as legitimate provider events. An attacker with access to a valid message_id can submit forged bounce events that cause subscribers to be marked as unsubscribed and excluded from future campaign deliveries. The same missing-authenticity-verification pattern is present in the Postmark, Postal, and Mailjet webhook handlers. Technical Details The SendGrid webhook controller processes incoming JSON payloads and immediately dispatches webhook events without verifying SendGrid's published webhook signature. The affected route is publicly accessible and does not require authentication. Observed behavior: * No authentication token required * No provider signature required * No shared secret validation * No provider authenticity verification A forged bounce event referencing a valid message_id is accepted and processed successfully. The webhook processing pipeline subsequently: 1. Locates the associated message record. 2. Marks the message as bounced. 3. Updates the subscriber record. 4. Sets unsubscribed_at. 5. Excludes the subscriber from future campaign deliveries. Observed Database State Before forged webhook: subscriber.id = 1 email = [[email protected]](mailto:[email protected]) unsubscribed_at = NULL After forged webhook: subscriber.id = 1 email = [[email protected]](mailto:[email protected]) unsubscribed_at = 2026-06-07 16:07:04 unsubscribe_event_id = 1 The application's campaign dispatch pipeline explicitly filters subscribers using: whereNull('unsubscribed_at') As a result, subscribers affected by forged webhook events are excluded from all future campaign dispatches. Expected Behavior Webhook requests should be processed only after successful verification of the provider's authenticity mechanism. Unsigned or invalid webhook requests should be rejected before any state-changing operations occur. Actual Behavior Unsigned webhook requests are accepted and processed as legitimate provider events, resulting in unauthorized modification of subscriber state. Impact * Unauthorized subscriber suppression * Permanent exclusion of subscribers from future campaign deliveries * Modification of application state without authentication * Publicly reachable attack surface * Integrity impact on mailing operations Additional Affected Endpoints The same missing verification pattern was identified in: * POST /api/v1/webhooks/postmark * POST /api/v1/webhooks/postal * POST /api/v1/webhooks/mailjet Forged subscriber suppression was demonstrated against the SendGrid implementation. The remaining handlers exhibit the same authenticity-verification weakness. Steps to Reproduce 1. Create an active subscriber. 2. Ensure a message record exists with a valid message_id. 3. Verify the subscriber has unsubscribed_at = NULL. 4. Submit a forged SendGrid bounce webhook containing the valid message_id. 5. Observe successful processing. 6. Query the subscriber record. 7. Observe unsubscribed_at is populated. 8. Trigger campaign dispatch logic. 9. Observe the subscriber is excluded due to the whereNull('unsubscribed_at') filter. Evidence The linked report contains: * Source code references * Route analysis * Controller analysis * Proof-of-concept requests * Database before/after evidence * Application logs * Impact validation * Remediation guidance All supporting material is available in the linked report.
ソース⚠️ https://github.com/mettle/sendportal/issues/340
ユーザー
 Superman_04 (UID 98152)
送信2026年06月08日 16:43 (1 月 ago)
モデレーション2026年07月09日 07:36 (1 month later)
ステータス承諾済み
VulDBエントリ377118 [mettle sendportal 迄 3.0.1 APIv1 Webhooks sendgrid/postmark/postal/mailjet 弱い認証]
ポイント20

Interested in the pricing of exploits?

See the underground prices here!