Mailparser Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the mailparser package, specifically in versions prior to 3.9.3. The issue arises in the textToHtml() function, where URLs in email content are not properly sanitized. This flaw allows attackers to inject arbitrary scripts into the browsers of victims by adding extra quotes to URLs containing malicious JavaScript. The vulnerability has been addressed in version 3.9.3.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, send an email with a URL that includes quotes and JavaScript code, such as an onmouseover event. When the email is processed by mailparser, the URL will be converted into a link, but the quotes will break out of the href attribute, allowing the JavaScript to execute. This can be done using the mailparser library's simpleParser function, which can be configured to skip certain sanitization steps.
Remediation
Upgrade mailparser to version 3.9.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.