Send Phishing/Spam email from [email protected] to any email address.

The Sameroom API contained an endpoint to generate an email to notify the user that the account had been updated. This API request utilized a JSON body that specified the email address and DisplayName of the user without validating the format or characters of the DisplayName. An attacker could have utilized the endpoint to craft convincing spam emails that originated from the Sameroom server.