Description

This alert may be a false positive, manual confirmation is required.

A HTML form was found in this page that looks susceptible to spam attacks. The form has a hidden input form with an email address as value. This is usually an indication that the recipient of an email sending form is hardcoded in a hidden input form. If that's the case this allows malicious users to send email messages using your server without authorization by changing the input value. A malicious spammer could use this tactic to send large numbers of messages anonymously.

Remediation

The recipient of a email sending form should not be hardcoded in a hidden input value because hidden inputs are controlled by the client. The value should be set on the server side.

References

OAT-017 Spamming

Related Vulnerabilities

MongoDb Improper Input Validation Vulnerability (CVE-2013-1892)

Drupal Core 9.3.x Security Bypass (9.3.0 - 9.3.8)

PHP Improper Input Validation Vulnerability (CVE-2007-3998)

Moodle Improper Input Validation Vulnerability (CVE-2012-1168)

ZenCart Improper Input Validation Vulnerability (CVE-2009-4321)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality