SYM_PY_0214 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input from HTTP requests is being included directly in the 'html_message' parameter of Django's send_mail() function without proper sanitization. This allows attackers to inject malicious HTML or JavaScript into emails sent by your application.
Impact
If exploited, attackers could send emails containing harmful scripts that execute when recipients open the email, leading to phishing attacks, data theft, or compromise of user accounts. This can damage user trust and put your organization at risk of data breaches or regulatory violations.