Skip to Main Content
Cumulocity IoT Feedback Portal
Status Added/Resolved 🎉
Created by Guest
Created on Dec 23, 2019

Abuse of the password reset feature - Security Risk

A non-authenticated user can use the password reset functionality to send password reset emails to
arbitrary addresses, even if they are not linked to any account of the Web application. The following
request and screenshot illustrate this vulnerability:
POST /user/passwordReset HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic cGFzc3dvcmRyZXNldDpwNDU1dzByZHIzNTM3
UseXBasic: true
Content-Type: application/json;charset=utf-8
Content-Length: 33
Connection: close

A remote attacker could use this functionality to send a large number of emails to arbitrary users. This
could lead to the blacklisting of the server and therefore to the incapacity to send emails altogether.
Only send password reset emails when the submitted email address is linked to an existing account.
 The Web Application Security Consortium - Abuse of Functionality

  • Attach files
  • Admin
    Nikolaus Neuerburg
    Jan 16, 2020

    We plan to change this behaviour with the April 2020 release. Password Reset E-Mails will then only be sent in the case the account exists.

  • Admin
    Nikolaus Neuerburg
    Dec 23, 2019

    Hi Shaine, thanks a lot for the feedback. This is a valid concern. We will discuss this within the product and R&D team and come back to you.