usd-2021-0027 | E-mail verification Bypass in CleverReach Newsletter Service

Advisory ID: usd-2021-0027
Affected Product: CleverReach
Affected Version: Latest (as of 3rd May 2021)
Vulnerability Type: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Security Risk: Low
Vendor URL
Vendor Status: Fixed


It was possible to register and verify arbitrary e-mail addresses for the newsletter.
The link for the registration confirmation and the link needed for the e-mail verification only differed in one letter.
Therefore, it was possible to craft the verification link without access to the e-mail account.

Proof of Concept (PoC)

After the form for the newsletter registration is completed, the user is redirected a confirmation page.
The link for the confirmation page looks like this:

The verification link sent via email only differs in one letter:

By changing /wcs/ to /wss/ it is possible to register and verify arbitrary e-mails without having access to them.


The verification link should be unique and independent from the registration process.


  • 2021-05-03: This vulnerability was identified by Nicolas Schickert.
  • 2021-05-07: Advisory submitted to vendor via e-mail.
  • 2021-05-25: Vendor states that they will be fixing this issue in a future version.
  • 2021-06-30: Vendor acknowledges behaviour and starts working on a fix.
  • 2021-11-22: Vendor informs about fix.
  • 2021-12-30: Vulnerability persists, details provided to vendor.
  • 2022-01-11: Vulnerability is fixed by vendor
  • 2022-07-15: Advisory is published.


This security vulnerability was identified by Nicolas Schickert of usd AG.