You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JanCizmar
published
GHSA-gx3w-rwh5-w5cgSep 7, 2023
Package
tolgee/tolgee
(DockerHub)
Affected versions
<= v3.29.1
Patched versions
v3.29.2
Description
Summary
Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims.
At this moment registered user (as a bad actor) can attack (victim) with real email from Tolgee - HTML Injection (Server-Side Injection - Content Spoofing).
Summary
Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims.
At this moment registered user (as a bad actor) can attack (victim) with real email from Tolgee - HTML Injection (Server-Side Injection - Content Spoofing).
Details
Occurrences:
https://github.com/tolgee/tolgee-platform/blob/main/backend/data/src/main/kotlin/io/tolgee/component/email/InvitationEmailSender.kt#L26
PoC
Payload example (name of Org - from invitation):
Org<a href="www.github.com">s
Repro steps:
Result - screenshot:
For Repro steps please use own emails, but please notice that bad actors can make this with victims email addresses (which not own).
Proposed remediation: Sanitize/purify mentioned input data from users - don't allow to this.
Impact
Bad actors can use this to phishing actions for example. Email is really send from Tolgee, but bad actors can add there HTML code injected.
Additional informations:
References:
CAPEC-242: Code Injection - https://capec.mitre.org/data/definitions/242.html
Server-Side Injection Content Spoofing Email HTML Injection - https://bugcrowd.com/vulnerability-rating-taxonomy
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
Best regards,