OpenObserve HTML Injection Vulnerability in Organization Invitation Emails

A vulnerability exists in OpenObserve versions through 0.16.1, allowing HTML injection in organization invitation emails. When an organization name containing HTML is created or renamed, the markup is rendered in the invitation email. This issue arises because user-controlled input is inserted into the email template without proper HTML escaping. As a result, HTML tags are rendered instead of being displayed as plain text, potentially leading to phishing, brand spoofing, and social engineering risks.

Impact

Exploitation of this vulnerability allows for HTML injection in email invitations, which can be used for phishing, brand spoofing, and deceptive link manipulation.

Reproduction

To reproduce this vulnerability, sign in to OpenObserve Cloud and create a new organization or rename an existing one with a name that includes HTML, such as underlined text or a hyperlink. Afterward, send an invitation to an email you control and observe that the HTML is rendered instead of shown as plain text.