GlobaLeaks Improper Input Validation in Support API Endpoint Allowing Arbitrary URLs

A vulnerability exists in GlobaLeaks versions prior to 5.0.89, where the /api/support endpoint lacks adequate validation of user-submitted support requests. This flaw enables the inclusion of arbitrary URLs in support emails sent to administrators. Although the vulnerability does not directly impact the GlobaLeaks platform's functionality or security, it poses a low-risk social engineering threat, as administrators may inadvertently click on these links if they are automatically converted to clickable format by certain email clients, such as Gmail or Outlook.

Impact

While the vulnerability does not compromise the GlobaLeaks system or its data, it introduces a low-risk social engineering opportunity. Administrators could be tricked into clicking on malicious URLs that are automatically made clickable by their email client, potentially leading to phishing attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/support endpoint with a JSON payload that includes a malicious URL in the 'url' parameter. The request can be made using a tool that supports HTTP/2, such as curl or Postman. Once the request is processed, the email sent to administrators will contain the included URL, which could be clicked if the email client automatically converts it into a clickable link.

Remediation

Users can update to GlobaLeaks version 5.0.89 or later, where this vulnerability has been patched. Additionally, administrators can configure their email clients to disable automatic linking of URLs, treat links from untrusted sources with caution, and train staff to be aware of potential phishing risks.