So, as it is right now you are able to verify a user by bypassing the domain name restriction. As it tells user to verify you are able to simply bypass the @ split by using something like this:
Allowed domain: test.edu
Exploit:
"test@test.edu@"@mydomain.com
this input will bypass the test and all I have to do is run a nc listener on port 25 in a vps and I'll receive the connection with the code and verify. Fixed the issue using two methods, you can choose which one to implement.
So, as it is right now you are able to verify a user by bypassing the domain name restriction. As it tells user to verify you are able to simply bypass the @ split by using something like this:
Allowed domain: test.edu Exploit:
"test@test.edu@"@mydomain.com
this input will bypass the test and all I have to do is run a nc listener on port 25 in a vps and I'll receive the connection with the code and verify. Fixed the issue using two methods, you can choose which one to implement.