In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
The password reset function in the application does not have a rate limiting mechanism, i.e., it does not limit the number of requests sent by one user in a specified time period. An authenticated attacker can automate sending password reset requests, causing hundreds or thousands of email messages to be generated to the target user. This results in flooding the victim's mailbox (email bombing), which can lead to disruption of their operations.
An attacker can flood the mailbox of a selected user with a mass of automatically generated email messages containing password reset links, leading to disruption of the victim's email service availability and potential impediment to their work.
Patches available from the vendor should be applied in accordance with the references. It is recommended to review the vulnerability disclosure policy published by Ascertia at the address indicated in the references.
Ascertia SigningHub in versions up to and including 8.6.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAscertia Signinghub
APPAscertia≤ 8.6.8
Related vulnerabilities
Brak rate limiting w SigningHub umożliwia atak brute force na logowanie
Dowolne przesyłanie plików w SigningHub umożliwia RCE
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any ra...
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to c...
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attac...