resolved
Email verification bypass via request to endpoint "accounts.insightly.com/signup/provisionuser"
Bug reported by Ali Kostak was disclosed at August 18, 2025, 7:55 pm | Improper Authorization
The vulnerability allowed bypassing email verification when creating a new Insightly account. The vulnerability existed in the "EmailAddress" parameter of the member creation endpoint. By modifying the parameter, an attacker could create a new account using any email address, including those of existing users, effectively taking over their accounts.
resolved
No SPF/DMARC records on mb-cosmos.com
Bug reported by Aditya Sharma was disclosed at August 18, 2025, 1:58 pm | Violation of Secure Design Principles
The domain mb-cosmos.com lacked SPF and DMARC records, allowing email spoofing. Emails appeared to originate from the domain without authentication. This vulnerability was reported as a security issue.