Summary
Due to lack of validation for fields like Full Name and Organization name, bad actors can send emails with spoofed content as Novu (because in fact these emails are real Novu emails) at this moment.
Please notice that there are allowed different characters like (_) spaces etc, that allows to create all sentences by bad actors.
Details
Parts from the code:
https://github.com/novuhq/novu/blob/next/apps/web/src/pages/invites/MembersInvitePage.tsx#L212
Proposed remediation: please don't allow to malicious actions like this - proper validation for these fields (Sanitize/purify input data from users).
PoC
POC - payload examples:
Field FullName: Novu-so_just_Later
Field OrgName: get SWAG visit www.evilsite.com
Repro steps:
- Go to https://web.novu.co/auth/signup and during registration set Full Name with payload (above provided)
- As second step, for Organization Name set other payload (above provided)
- Go to https://web.novu.co/team as logged in user, type victims email addresses and click Invite button
- Open email - see valid payloads, email from real Novu <[email protected]> with spoofed content
(Please use your second email address for POC steps for convenient).
Result:
"You have been invited to Get SWAG visit www.evilsite.com by Novu. Click on the button below to accept."
Screenshot - result:
Impact
Spoofed email content - user see real Novu email, so is more exposed to malicious actions (like visit site xyz, download from xzy). Other scenario can be associated with disinformation (lost of trust and reputation) - using there bad words (vulgar), weird content etc.
Additional informations:
Content Spoofing - https://owasp.org/www-community/attacks/Content_Spoofing
CAPEC-148: Content Spoofing - https://capec.mitre.org/data/definitions/148.html
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
Best regards,
mbiesiad Reporter
Summary
Due to lack of validation for fields like Full Name and Organization name, bad actors can send emails with spoofed content as Novu (because in fact these emails are real Novu emails) at this moment.
Please notice that there are allowed different characters like (_) spaces etc, that allows to create all sentences by bad actors.
Details
Parts from the code:
https://github.com/novuhq/novu/blob/next/apps/web/src/pages/invites/MembersInvitePage.tsx#L212
Proposed remediation: please don't allow to malicious actions like this - proper validation for these fields (Sanitize/purify input data from users).
PoC
POC - payload examples:
Field FullName: Novu-so_just_Later
Field OrgName: get SWAG visit www.evilsite.com
Repro steps:
(Please use your second email address for POC steps for convenient).
Result:
"You have been invited to Get SWAG visit www.evilsite.com by Novu. Click on the button below to accept."
Screenshot - result:
Impact
Spoofed email content - user see real Novu email, so is more exposed to malicious actions (like visit site xyz, download from xzy). Other scenario can be associated with disinformation (lost of trust and reputation) - using there bad words (vulgar), weird content etc.
Additional informations:
Content Spoofing - https://owasp.org/www-community/attacks/Content_Spoofing
CAPEC-148: Content Spoofing - https://capec.mitre.org/data/definitions/148.html
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
Best regards,