Multiple email template in backend/src/utils/email.ts includes user-controlled data (for example organization.name, announcement.message) directly into HTML without escaping. This is a high risk design that allows HTML injection attacks via email.
Example:
const html = `
<h1>You've Been Invited to Manage ${organization.name}</h1>
<p>${creator.name} has invited you...</p>
`;If a user creates an organization named:
My Org</h1><p style="color:red;font-size:24px">URGENT: Your account has been compromised. <a href="https://ssy38.com/phish">Click here to secure it</a></p><h1>
This content is rendered directly in the recipient's email.
Suggestion:
create a brief HTML escaping utility and apply it to all user controlled values.
for example,
function escapeHtml(str: string): string {
return str
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');
}Disclaimer:
I have not and will not use this for attacking the product or other issues to attack any other products by DTI.
Multiple email template in
backend/src/utils/email.tsincludes user-controlled data (for exampleorganization.name,announcement.message) directly into HTML without escaping. This is a high risk design that allows HTML injection attacks via email.Example:
If a user creates an organization named:
This content is rendered directly in the recipient's email.
Suggestion:
create a brief HTML escaping utility and apply it to all user controlled values.
for example,
Disclaimer:
I have not and will not use this for attacking the product or other issues to attack any other products by DTI.