Skip to main content

Email spoofing

Description

The sendEmail endpoint allows calls without any authentication, allowing anyone to send mails on behalf of the bank with arbitrary content.

Impact

Use the sendEmail endpoint to send emails from a business address, which could impersonate users and perform phishing attacks.

Recommendation

Configure the sendEmail endpoint to disallow anonymous connection.

Threat

Anonymous Internet attacker can send mail using the sendEmail endpoint.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: W
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:W/RC:X
  • Score:
    • Base: 6.5
    • Temporal: 6.4
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The end point of the Email delivery does not allow anonyous configuration

email_delivery:
host: "myhost"
port: 5400
email_over_ssl: true
authentication: admin
allow_anonymous-connection: false
user_name: "appadmin"
password: "encrypted_password"

Non compliant code

The end point of the sendEmail delivery allows anonymous configuration

email_delivery:
host: "myhost"
port: 5400
email_over_ssl: true
authentication: :plain
allow_anonymous-connection: true
user_name: "appadmin"
password: "*"

Requirements