📚 Cuvva: Time-limit Bypassing, Rate-limit Bypassing and Spamming at https://ops.cuvva.co

Hello cuvva secteam, Hope you are well and safe Summary When trying to sign in at https://ops.cuvva.com: 1. There is no checking if supplied email is valid before sending login link (Note: the sent login links do not work) but this bug can be used for spamming any supplied email. 2. The time-limit for pressing Resend button can be bypassed by refreshing URL in the browser as well as intercepting the POST request and repeating it. 3. The rate-limit mechanism that triggers after sending several requests can be bypassed by manipulating both the POST body state and email parameters. This allows the attacker to circumvent Too Many Request error. Steps to reproduce Please watch the attached PoC.mp4 video demonstrating all the above issues. Thank you Have a good day Impact Automated mass spamming of any supplied emails which ruins reputation of cuvva and reflects bad image for the company as well as cause legal issues by being accused of conducting spamming activities. These mass email sending operations may cost you resource and... ...