Executive Summary

This vulnerability is a Missing Authentication for a Critical Function (CWE-306) in the RegisterView component of MailerUp versions before 1.0.1. It occurs at the POST /api/auth/register/ endpoint, which allows remote, unauthenticated attackers to create working user accounts even when registration is supposed to be restricted.

The endpoint applies the AllowAny permission without requiring email verification, CAPTCHA, or administrator approval. As a result, attackers can self-register accounts without any authentication or validation.

Any account created this way can access and read all email stored by the instance, leading to full disclosure of stored messages to an arbitrary unauthenticated attacker.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to create accounts and gain unauthorized access to all stored emails within the affected MailerUp instance.

This leads to a full disclosure of sensitive email content, potentially exposing confidential information, personal data, or business communications to attackers.

Such unauthorized access can result in data breaches, loss of privacy, reputational damage, and potential legal consequences depending on the nature of the exposed information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to create accounts without verification and gain access to all stored email data, resulting in full disclosure of sensitive messages.

Such unauthorized access and disclosure of personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and health-related information.

Therefore, the vulnerability poses a significant risk to compliance by failing to protect sensitive data from unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the vulnerable endpoint POST /api/auth/register/ is accessible and allows unauthenticated account creation without email verification, CAPTCHA, or administrator approval.

A practical way to detect this is to attempt to register a new user account via the POST /api/auth/register/ endpoint without authentication and observe if the registration succeeds.

Example command using curl to test the endpoint:

• curl -X POST https://your-mailerup-instance/api/auth/register/ -d '{"username":"testuser","password":"TestPass123"}' -H 'Content-Type: application/json'

If the response indicates successful registration without requiring verification or admin approval, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MailerUp to version 1.0.1 or higher, where the vulnerable RegisterView and the public /api/auth/register/ endpoint have been removed.

After upgrading, user accounts can only be created by administrators via the /api/auth/users/ endpoint or the createsuperuser command, preventing unauthenticated self-registration.

If upgrading immediately is not possible, consider disabling or restricting access to the /api/auth/register/ endpoint to prevent unauthenticated registrations.

Useful 0 Not Useful 0