| Title | atjiu https://github.com/atjiu/pybbs <=6.0.0 Enumerate registered emails |
|---|
| Description | In the latest v6.0.0 version, the endpoint /api/settings/sendEmailCode has a logic issue. The error message indicates that the email has already been registered, and there are no security measures such as rate limiting or CSRF protection. This allows attackers to exploit this error message to brute-force registered users' emails, thereby leaking the email addresses of registered users. |
|---|
| Source | ⚠️ https://github.com/atjiu/pybbs/issues/202 |
|---|
| User | ZAST.AI (UID 87884) |
|---|
| Submission | 07/25/2025 03:33 (11 months ago) |
|---|
| Moderation | 08/04/2025 15:05 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318677 [atjiu pybbs up to 6.0.0 Registered Email SettingsApiController.java sendEmailCode email information exposure] |
|---|
| Points | 19 |
|---|