resolved
Email verification bypass via request to endpoint "accounts.insightly.com/signup/provisionuser"
Bug reported by Ali Kostak was disclosed at August 18, 2025, 7:55 pm | Improper Authorization
The vulnerability allowed bypassing email verification when creating a new Insightly account. The vulnerability existed in the "EmailAddress" parameter of the member creation endpoint. By modifying the parameter, an attacker could create a new account using any email address, including those of existing users, effectively taking over their accounts.
resolved
No SPF/DMARC records on mb-cosmos.com
Bug reported by Aditya Sharma was disclosed at August 18, 2025, 1:58 pm | Violation of Secure Design Principles
The domain mb-cosmos.com lacked SPF and DMARC records, allowing email spoofing. Emails appeared to originate from the domain without authentication. This vulnerability was reported as a security issue.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
