Budibase Password Reset Functionality Vulnerability Allowing Email Flooding

A business logic vulnerability has been identified in Budibase's password reset feature, prior to version 3.23.25. The issue arises from a lack of rate limiting, CAPTCHA, and abuse prevention on the 'Forgot Password' endpoint. This allows an unauthenticated attacker to automate password reset requests for the same email address, flooding the user's inbox with hundreds of reset emails in a short period. The vulnerability can cause user harassment, disrupt email services, and lead to financial and reputational damage for Budibase.

Impact

Exploitation of this vulnerability allows for large-scale email flooding, harassment of users, and denial-of-service conditions against user inboxes. Additionally, it can cause financial losses for Budibase due to increased costs from their email service provider, Amazon SES, which charges per email sent.

Reproduction

To reproduce this vulnerability, send repeated password reset requests to the 'Forgot Password' endpoint without any rate limiting or CAPTCHA protection. This can be done manually or automated using tools like Burp Suite Intruder. Each request will successfully trigger a password reset email, demonstrating the lack of abuse prevention on the endpoint.

Remediation

Users should update to Budibase version 3.23.25 or later, where this vulnerability has been patched.