CVE-2023-48226 in OpenReplayinfo

Summary

by MITRE • 11/21/2023

OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/15/2023

CVE-2023-48226 represents a critical server-side request forgery vulnerability in OpenReplay version 1.14.0 that enables attackers to inject malicious HTML content into email communications. This vulnerability stems from insufficient validation of the Name field within Account Settings, creating a discrepancy between registration and account modification workflows. While the registration process properly validates the FullName field, preventing direct HTML injection during user creation, the account settings update functionality lacks equivalent safeguards, allowing malicious actors to bypass these protections through indirect means.

The technical flaw manifests as a content spoofing mechanism where attackers can manipulate the email content delivery system to inject HTML code that appears to originate from legitimate OpenReplay communications. This creates a dangerous vector for phishing campaigns where victims receive emails that appear authentic but contain malicious payloads. The vulnerability operates at the application layer and specifically targets the email templating and sending functionality, making it particularly dangerous as it leverages the trust relationship between the application and its users. The inconsistency between registration and account settings validation creates an exploitable gap that attackers can readily identify and utilize.

The operational impact of this vulnerability extends beyond simple email manipulation to encompass full phishing attack capabilities. Attackers can craft convincing emails that appear to come from OpenReplay while embedding malicious links, scripts, or credential harvesting mechanisms. This allows for sophisticated social engineering campaigns that exploit the application's legitimate email infrastructure to gain unauthorized access to user accounts, steal sensitive information, or deploy additional malware. The vulnerability essentially transforms the legitimate email system into a weapon for malicious actors, undermining the trust model that users expect from the application.

This vulnerability aligns with CWE-79: Improper Neutralization of Input During Web Page Generation and maps to ATT&CK technique T1566.001: Phishing - Spearphishing Attachment. The inconsistency in validation logic between registration and account modification processes creates an attack surface that violates fundamental security principles of defense in depth. Organizations using OpenReplay version 1.14.0 face significant risk of credential theft, account takeover, and data breaches through this vector. The lack of available fixes or workarounds at the time of publication compounds the risk, leaving systems vulnerable for extended periods without remediation options.

Organizations should immediately implement network-level monitoring for suspicious email traffic patterns and consider temporary workarounds such as disabling account settings modification functionality until a proper patch is available. The vulnerability demonstrates the critical importance of consistent validation across all application interfaces and highlights the need for comprehensive security testing that examines not just individual components but their interactions. Security teams should also implement email content filtering rules that can detect and block suspicious HTML content in outbound communications, providing an additional layer of protection while awaiting official patches.

Responsible

GitHub, Inc.

Reservation

11/13/2023

Disclosure

11/21/2023

Moderation

accepted

CPE

ready

EPSS

0.00779

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!