SYM_PY_0215 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input from the HTTP request is being included directly in the HTML body of an email without proper sanitization or escaping. This allows attackers to inject malicious HTML or JavaScript into emails sent from your application.
Impact
If exploited, recipients of these emails could be exposed to cross-site scripting (XSS) attacks. Attackers could steal user credentials, perform phishing, or execute malicious actions on behalf of users, leading to data breaches and damaging trust in your application or organization.