baserCMS Mail API Form Submission Bypass Vulnerability

A vulnerability in baserCMS versions prior to 5.2.3 allows unauthenticated users to bypass mail form acceptance controls through a public API. This issue enables unauthorized submissions via the Mail API, even when forms are not accepting entries, potentially leading to spam or abuse. The vulnerability arises because the API endpoint does not check the form's acceptance status, a control that is enforced in the user interface.

Impact

Exploitation of this vulnerability allows for unauthorized mail submissions through the Mail API, bypassing administrative controls and potentially leading to spam or abuse.

Reproduction

To reproduce this vulnerability, first ensure that a mail form is configured to reject submissions. Then, obtain a CSRF cookie and token pair by accessing the site root. With this token, send a POST request to the Mail API's 'add' endpoint, including the necessary form data. The server will respond with a '200 OK' status, indicating that the mail message was successfully created, despite the form being closed.

Remediation

Users are advised to update baserCMS to version 5.2.3 or later.