usd-2021-0027 | E-mail verification Bypass in CleverReach Newsletter Service
Advisory ID: usd-2021-0027
Affected Product: CleverReach
Affected Version: Latest (as of 3rd May 2021)
Vulnerability Type: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Security Risk: Low
Vendor URL: https://www.cleverreach.com/de/
Vendor Status: Fixed
It was possible to register and verify arbitrary e-mail addresses for the newsletter.
The link for the registration confirmation and the link needed for the e-mail verification only differed in one letter.
Therefore, it was possible to craft the verification link without access to the e-mail account.
Proof of Concept (PoC)
After the form for the newsletter registration is completed, the user is redirected a confirmation page.
The link for the confirmation page looks like this:
The verification link sent via email only differs in one letter:
By changing /wcs/ to /wss/ it is possible to register and verify arbitrary e-mails without having access to them.
The verification link should be unique and independent from the registration process.
- 2021-05-03: This vulnerability was identified by Nicolas Schickert.
- 2021-05-07: Advisory submitted to vendor via e-mail.
- 2021-05-25: Vendor states that they will be fixing this issue in a future version.
- 2021-06-30: Vendor acknowledges behaviour and starts working on a fix.
- 2021-11-22: Vendor informs about fix.
- 2021-12-30: Vulnerability persists, details provided to vendor.
- 2022-01-11: Vulnerability is fixed by vendor
- 2022-07-15: Advisory is published.
This security vulnerability was identified by Nicolas Schickert of usd AG.