Medium

lunary

Unauthorized Email Injection Vulnerability

A critical vulnerability in the email verification and sign-up APIs of version v1.2.26 allows unauthenticated attackers to inject data into outgoing emails. This issue was patched in version 1.4.10.

Available publicly on Oct 08 2024

Threat Overview

The vulnerability allows an attacker to inject arbitrary data into emails sent by the application. This is achieved by bypassing the extractFirstName function using a different whitespace character (\xa0). The injected data can be used for phishing attacks, spreading malware, damaging the brand's reputation, causing legal issues, and incurring financial costs due to unauthorized email usage.

Attack Scenario

An attacker crafts a POST request to the /v1/users/send-verification or /auth/signup endpoint, replacing normal whitespace characters in the name field with \xa0. This allows the attacker to inject malicious content into the email body, which is then sent to the victim. The victim receives an email that appears legitimate but contains harmful links or content.

Who is affected

Users of the application version v1.2.26 who rely on the email verification and sign-up features are affected. This includes both the application's users and the organization itself, which may suffer from brand damage, legal issues, and financial costs.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.