CVE-2022-44005

Vulnerability

The newsletter sign-up functionality in BACKCLICK Professional 5.9.63 (on-premises) uses consecutive IDs in verification links. These links contain a base64-encoded parameter c that encodes an incrementing subscriber ID and a list ID (e.g., MTRfMQ== decodes to 14_1). This design allows an attacker to enumerate all subscriber email addresses by iterating through sequential IDs. Additionally, the application does not verify ownership of the email address before allowing subscription and verification, enabling an attacker to subscribe and verify arbitrary email addresses without the owner's consent [1][2].

Exploitation

An attacker needs only network access to the publicly accessible subscription form; no authentication is required. By crafting verification URLs with sequential subscriber IDs (e.g., incrementing the first number in the decoded c parameter), the attacker can enumerate all subscriber email addresses. Furthermore, the attacker can submit subscription requests for any email address and then use the predictable verification link to confirm the subscription without the victim's interaction [1].

Impact

Successful exploitation results in the disclosure of all subscriber email addresses (confidentiality breach) and the ability to subscribe and verify third-party email addresses to newsletters without consent. This could be leveraged for spam campaigns or to damage the reputation of the email owner. No code execution or privilege escalation is reported [1][2].

Mitigation

As of the advisory publication date (2022-11-14), the manufacturer had not released a fix; the solution status is listed as unknown. No workaround is documented. Users should monitor for updates from BACKCLICK GmbH. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [1].