Vikunja Markdown Injection Vulnerability in Overdue Email Notifications

A vulnerability in Vikunja, a self-hosted task management platform, allows for Markdown injection in overdue email notifications. This issue affects Vikunja versions prior to 2.3.0. The vulnerability arises because task titles are inserted directly into Markdown link format without escaping special characters. When these emails are processed by the Goldmark Markdown renderer and then sanitized by Bluemonday, which permits certain HTML tags, the injected Markdown can create phishing links or tracking pixels in the notification emails.

Impact

Exploitation of this vulnerability allows for the injection of malicious links and tracking images into email notifications, which could be used for phishing attacks.

Reproduction

To reproduce this vulnerability, create a task with a title that includes Markdown link syntax or image links, and set the due date to a past date. Once the task is overdue, an email notification will be sent that includes the injected Markdown, which will be rendered as a clickable link or an image.

Remediation

Users can update to Vikunja version 2.3.0, where this vulnerability has been fixed.