Ability to reset password for account
Critical
U
Upserve
Submitted None
Team Summary
Official summary from Upserve
The attacker was able to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address. POST https://hq.breadcrumb.com/api/v1/password_reset HTTP/1.1 with body like {"email_address":["[email protected]","[email protected]"]}
Actions:
Reported by
exadmin
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic