EIQ-2020-0006



ID

EIQ-2020-0006

CVE

-

Description

HTML Injection into Platform Emails

Date

05 Feb 2020

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD .

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

EclecticIQ uses the Host header of an HTTP request to specify the domain name of a server that is used to access the platform.
When resetting passwords, t his mechanism is used to create a link to the platform, which is then sent to the user concerned by email.

An attacker can use this mechanism to get the platform send a password reset e-mail with a link pointing to a malicious website.
The vulnerability also allows attackers to inject additional HTML elements into an email, such as text or hyperlinks.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.7.0