Ascertia SigningHub Email Bombing Vulnerability Due to Lack of Rate Limiting on Password Reset Function

A vulnerability allowing email bombing has been identified in Ascertia SigningHub versions through 8.6.8. This issue arises from the absence of rate limiting on the password reset function, enabling authenticated attackers to automate password reset requests. This exploitation floods targeted user accounts with a high volume of password reset emails, overwhelming the victims' mailboxes and disrupting email services by causing performance degradation or unresponsiveness on mail servers.

Impact

Exploitation of this vulnerability can lead to a significant increase in password reset emails sent to targeted users, causing their mailboxes to become cluttered and difficult to manage. This flood of emails can also strain mail server resources, potentially causing performance issues or making the servers unresponsive, thereby disrupting email services for the entire organization.

Remediation

Users are advised to implement a rate limit on the password reset function to mitigate this vulnerability. Ascertia will provide support and updates during the product's support period.