Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from the HTTP request is being included directly in the HTML body of an email without proper sanitization or escaping. This allows attackers to inject malicious HTML or JavaScript into emails sent from your application.
Impact#
If exploited, recipients of these emails could be exposed to cross-site scripting (XSS) attacks. Attackers could steal user credentials, perform phishing, or execute malicious actions on behalf of users, leading to data breaches and damaging trust in your application or organization.