Open
Description
Hi,
I know Cachet 2.x is already discontinued before a 3.x release is available. I think this bug should be noted anyway.
I'm running v2.4.0-dev on a debian 12 system with apache2. I disabled the Allow people to signup to email notifications? setting.
This setting removed the "Subscribe" button from the main page, which links to https://status.domain.com/subscribe, but it does NOT disable the /subscribe endpoint itself.
Calling it directly still allows submitting an email address for subscribing, which resulted in a quite massive spam attempt on my status page.
Metadata
Metadata
Assignees
Labels
No labels