URL editing shows success message, but doesn’t carry out function

I’ve been looking into my college’s internal alumni network. In that we can send connections to users and when you send a connection request, you’re taken to a url which is: https://www.website.com/yourwall/sent-invite/username/?Sendcon=true
And a message

Your invitation to Name was sent.

is displayed where ‘Name’ is the name of the user associated with ‘username’
Even though we get a success message, the connection request is not sent. And if we supply an invalid ‘username’ parameter into the url we still get a success message but as:

Your invitation to {:user} was sent.

Could this be a vulnerability? How can it be exploited and mitigated?

Go to Source
Author: Ananda Sai A