CVE-2023-41316

Published: Sep 7, 2023

Modified: Sep 26, 2024

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
tolgee	tolgee-platform	affected `< 3.29.2`

Weaknesses (CWE)

CWE-79

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg

x_refsource_CONFIRM

https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-41316

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References