In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.
An attacker sends multiple requests to the password reset API endpoint, providing the victim's email address, without any mechanism limiting the number of such requests. The system generates and sends subsequent emails with password reset links to the specified address. However, the software vendor points out that the default configuration of the pwresettime parameter is 30 minutes, and the PWRESET_STATUS_ALREADYSENT flag blocks sending additional messages after the first request in this time window — which according to the vendor constitutes sufficient control.
An attacker can cause an overload of a selected user's mailbox with a large number of emails (Email Bombing), which may result in difficult access to the mailbox or hiding other messages in it.
Apply patches available from the manufacturer in accordance with the references. Additionally, it is recommended to verify the configuration of the pwresettime parameter and ensure that the PWRESET_STATUS_ALREADYSENT flag is active. It is also worth considering implementing additional rate limiting mechanisms at the infrastructure level (e.g., firewall, reverse proxy).
Totara LMS in version v19.1.5 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H