Email preview access

gbm_admin · October 15, 2021, 11:22am

Your software
My Mautic version is: 4.0.1
My PHP version is: 7.4
My Database type and version is: 10.5.12-MariaDB-1:10.5.12+maria~buster

Your problem
We are testing Mautic in order to send automatic reminders to users about the services they’re subscribed to.

These emails are sent regularly to the user until either:

the user clicks the “cancel this reminder” link
the specific campaign expires

Now, I noticed that the Email Preview page is freely accessible to everyone (no login is needed) at this address:
https://mautic_server_URL/email/preview/ID

while the {webview_text}‍ link contained in the email is reacheable at this address:
https://mautic_server_URL/email/view/NONCE

The ID is a simple counter starting from 1, so easily guessable, while the NONCE is an hex string unique for each user. This leaves an easy access to all the reminder emails to everyone on the net.

As the reminder email can possibly contain sensible information, I was wondering if it is possible to limit the access to the Preview page, for example to logged-in users only.

Thanks!

gbm_admin · October 29, 2021, 11:28am

BTTT - Just a single back-to-the-top after 14 days

I think that leaving an open access to the preview of all the email pages is not a good thing.

Is it possible to change the ID in the Email Preview page http address with a random OID?

Topic		Replies	Views
Preview URL under Channel -> EMail "Not public mode" General Discussion	3	495	September 7, 2023
Bug when creating new email Development	3	296	February 2, 2020
Email opening and link tracking Product Support	2	249	April 4, 2016
Segment mails Site-URL using {webview_url} and {tracking_pixel} Product Support	4	654	May 25, 2022
Prevent free emails General Discussion	3	271	January 11, 2017

Email preview access

Related Topics