Mailgen HTML Injection Vulnerability in Plaintext Emails
Vulnerability
A vulnerability allowing HTML injection has been identified in Mailgen, a Node.js package for generating responsive HTML emails. This issue affects versions through 2.0.30. The vulnerability arises in plaintext emails created by the 'generatePlaintext' method when user-generated content is included. Although the function is designed to remove HTML tags, it fails to do so if the tags are encoded as HTML entities. These entities are later decoded, resulting in active HTML, such as an image tag with an event handler, in the expected plaintext output. In scenarios where this plaintext is rendered as HTML, it could enable the execution of attacker-controlled JavaScript.
Impact
Exploitation of this vulnerability could lead to HTML injection, allowing for the execution of JavaScript in the context of the user viewing the email, potentially leading to cross-site scripting (XSS) attacks.
Reproduction
To reproduce this vulnerability, use Mailgen version 2.0.30 or earlier and pass user-generated content containing encoded HTML tags into the 'generatePlaintext' method. The encoded tags will not be stripped out as intended, and once decoded, they will be rendered as active HTML in the plaintext email.
Remediation
Users can upgrade to Mailgen version 2.0.31 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.