Reggie Phone Number Validation Handler Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Reggie version 1.0, specifically within the Phone Number Validation Handler component. The issue arises in the '/user/sendMsg' file, where the 'code' argument can be manipulated, leading to unauthorized access to sensitive information. This vulnerability can be exploited remotely, and the details have been made public.

Impact

Exploitation of this vulnerability allows for unauthorized access to verification codes, which can be used to bypass login mechanisms, posing a significant security risk by enabling unauthorized user access.

Reproduction

To reproduce this vulnerability, the Redis service must be enabled locally. Once the service is running, send a POST request to the '/user/sendMsg' endpoint with a phone number and an empty 'code' field. The response will include the verification code, which can then be used to log in as the user.