The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company.
The vulnerability (CWE-400 — uncontrolled resource consumption) results from the lack of proper authentication mechanisms and access restrictions to the email sending API. An attacker sends specially crafted HTTP requests to the vulnerable API endpoint without needing any credentials. As a result, the server processes the requests and sends emails to any recipients, impersonating the domain or identity of the organization using Bluvoyix.
An attacker can send unsolicited or malicious emails without restrictions to any recipients on behalf of the company, which may lead to serious reputational damage, domain reputation breach, server placement on blacklists, and potential abuse for phishing or spam campaigns.
Patches available from the vendor should be applied according to the references. As a temporary workaround, it is recommended to restrict access to the email sending API endpoint at the firewall or application gateway (WAF) level to trusted sources only, and to implement authentication mechanisms and request rate limiting.
Blusparkglobal Bluvoyix product — versions indicated in the vendor's references
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:H/U:AmberBlusparkglobal Bluvoyix
APPBlusparkglobalwszystkie wersje
Related vulnerabilities
Pominięcie uwierzytelnienia w Blusparkglobal BLUVOYIX (Auth Bypass)
Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX
Brak uwierzytelnienia w admin API Blusparkglobal BLUVOYIX — pełne przejęcie platformy
BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API