Agate HTML Injection Vulnerability in User Registration
Vulnerability
A vulnerability in Agate, a central authentication server for OBiBa epidemiology applications, prior to version 3.3.0, allows arbitrary HTML injection into a user's first and last name during account registration. This injected HTML is rendered in emails sent to administrative users from the Agate service account, which appears trustworthy. This creates a significant phishing risk, as administrative users can be targeted by unauthenticated users.
Impact
Exploitation of this vulnerability could lead to a successful phishing attack on administrative users, potentially allowing for credential theft or unauthorized access to administrative accounts.
Reproduction
To reproduce this vulnerability, register a new Agate account as an unauthenticated user. Inject HTML into the last name field, aiming to replicate the appearance of an email that an administrator would receive. Once the account is created, the injected HTML will be executed in the email received by the admin.
Remediation
Users can upgrade to Agate version 3.3.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.