Cumulocity IoT Feedback Portal
A non-authenticated user can use the password reset functionality to send password reset emails to
arbitrary addresses, even if they are not linked to any account of the Web application. The following
request and screenshot illustrate this vulnerability:
https://dormakabastaging.us.cumulocity.com/user/passwordReset
POST /user/passwordReset HTTP/1.1
Host: dormakabastaging.us.cumulocity.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: application/json, text/plain, */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic cGFzc3dvcmRyZXNldDpwNDU1dzByZHIzNTM3
UseXBasic: true
Content-Type: application/json;charset=utf-8
Content-Length: 33
Origin: https://dormakabastaging.us.cumulocity.com
Connection: close
{"email":"soc@vumetric.com"}
A remote attacker could use this functionality to send a large number of emails to arbitrary users. This
could lead to the blacklisting of the server and therefore to the incapacity to send emails altogether.
Recommendation
Only send password reset emails when the submitted email address is linked to an existing account.
References
The Web Application Security Consortium - Abuse of Functionality
http://projects.webappsec.org/w/page/13246913/Abuse%20of%20Functionality
We plan to change this behaviour with the April 2020 release. Password Reset E-Mails will then only be sent in the case the account exists.
Hi Shaine, thanks a lot for the feedback. This is a valid concern. We will discuss this within the product and R&D team and come back to you.