unsubscribe anyone from all ████████ emails @ █████
Low
M
Mars
Submitted None
Team Summary
Official summary from Mars
A vulnerability is reported in the unsubscribe functionality of ████████. The issue allows for the unsubscription of arbitrary users from all Banfield emails by manipulating the subscriber ID (sid) parameter in the unsubscribe URL. This vulnerability is classified under CWE-284: Improper Access Control. The predictable nature of the sid parameter enables potential mass unsubscription of customers from email communications.
Actions:
Reported by
abfe
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic