Email preview access

gbm_admin · October 15, 2021, 11:22am

Your software
My Mautic version is: 4.0.1
My PHP version is: 7.4
My Database type and version is: 10.5.12-MariaDB-1:10.5.12+maria~buster

Your problem
We are testing Mautic in order to send automatic reminders to users about the services they’re subscribed to.

These emails are sent regularly to the user until either:

the user clicks the “cancel this reminder” link
the specific campaign expires

Now, I noticed that the Email Preview page is freely accessible to everyone (no login is needed) at this address:
https://mautic_server_URL/email/preview/ID

while the {webview_text}‍ link contained in the email is reacheable at this address:
https://mautic_server_URL/email/view/NONCE

The ID is a simple counter starting from 1, so easily guessable, while the NONCE is an hex string unique for each user. This leaves an easy access to all the reminder emails to everyone on the net.

As the reminder email can possibly contain sensible information, I was wondering if it is possible to limit the access to the Preview page, for example to logged-in users only.

Thanks!

gbm_admin · October 29, 2021, 11:28am

BTTT - Just a single back-to-the-top after 14 days

I think that leaving an open access to the preview of all the email pages is not a good thing.

Is it possible to change the ID in the Email Preview page http address with a random OID?

Topic		Replies	Views
Email preview page giving 403 error Product Support	0	226	June 23, 2021
Problems viewing an email in browser Product Support	2	423	November 17, 2016
Anonymize Read Information Product Support	0	132	November 24, 2022
Preview URL under Channel -> EMail "Not public mode" General Discussion	3	570	September 7, 2023
Mautic not correctly recognizing email opens or reads Product Support	0	15	October 28, 2024

Email preview access

Related topics