Listen to this Post
The vulnerability exists in the `generatePlaintext` method. The function attempts to sanitize HTML by using a regex `/<.+?>/g` to strip tags. However, this regex only matches literal angle brackets. If an attacker supplies HTML entities (e.g., <img src=x onerror=alert(1)>), the regex fails to recognize them as tags. The function then later decodes these entities back into valid HTML using he.decode(output). This sequence of operations—failed stripping followed by decoding—allows the injected HTML to persist and execute if the resulting “plaintext” is rendered in a vulnerable HTML context.
Platform: Mailgen
Version: pre-2.0.24
Vulnerability : HTML Injection
Severity: Medium
date: 2024
Prediction: 2024-10-15
What Undercode Say:
npm list mailgen cat node_modules/mailgen/index.js | grep -A 30 "generatePlaintext"
// PoC Code to verify vulnerability
var email = { body: { name: 'John <img src=x onerror=alert(1)>' } };
var emailText = mailGenerator.generatePlaintext(email);
How Exploit:
Attacker supplies input with HTML entities in user-controlled fields like `name` or intro. When `generatePlaintext` processes this, entities are decoded to active HTML after the stripping step. If the email client renders the output as HTML, the script executes.
Protection from this CVE
Update to Mailgen version 2.0.24 or later. The patch corrects the sanitization logic by decoding HTML entities before stripping the HTML tags, ensuring all potential tags are properly removed.
Impact:
Arbitrary JavaScript execution in the victim’s browser when the malicious plaintext email is viewed in an HTML context, leading to potential session hijacking or data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
