Description

Due to lack of validation Name field during registration, bad actor can send emails with HTML injected code to the victims.

Proof of Concept

Payload example: J<a href="www.evilsite.com">ameees Repro steps: Go to https://eu.aptabase.com/auth/register and for field 'Name' use payload with HTML. Open email from Aptabase goenning@aptabase.com titled 'Confirm your registration', see valid payload. Hover by mouse - see injected link. "Hi Jameees" part of message - contains payload.

For Repro steps please use own emails, but please notice that bad actors can make this with victims email addresses (which not own).

Kind regards,

Impact

Bad actors can use this to phishing actions for example. Email is really send from Aptabase, but bad actors can add there HTML code injected (content spoofing).

Proposed remediation, solution: Sanitize/purify mentioned input data from users - don't allow to this.

Additional information: Server-Side Injection - Content Spoofing - Email HTML Injection - https://bugcrowd.com/vulnerability-rating-taxonomy