Mailerup
Monthly
Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.
Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.
Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch (1.0.1) removes the public registration endpoint entirely.
Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.