<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Novu - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/novu/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/novu/feed.xml" rel="self" type="application/rss+xml"/><item><title>Novu XSS Vulnerability via Incomplete Sanitization</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-novu-xss/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-novu-xss/</guid><description>A cross-site scripting (XSS) vulnerability exists in Novu due to incomplete sanitization of HTML attributes in email previews, allowing arbitrary JavaScript execution.</description><content:encoded><![CDATA[<p>A cross-site scripting (XSS) vulnerability has been identified in Novu versions prior to 3.15.0. The vulnerability stems from incomplete sanitization of HTML attributes within the email preview functionality. Specifically, the application fails to properly sanitize the <code>oncontentvisibilityautostatechange=</code> attribute, allowing an attacker to inject arbitrary JavaScript code. This injected code executes when a user views an email containing the malicious HTML, potentially leading to account takeover or other malicious activities. This is more impactful than a self-XSS because an attacker can craft a URL that, when visited, logs the victim into the attacker's account and triggers the XSS.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious HTML payload containing the <code>oncontentvisibilityautostatechange=</code> attribute with embedded JavaScript.</li>
<li>The attacker injects this payload into the body of an email template within the Novu workflow editor.</li>
<li>A user views the email template preview or receives an email generated from the compromised template.</li>
<li>The user's browser parses the HTML, including the unsanitized <code>oncontentvisibilityautostatechange=</code> attribute.</li>
<li>The JavaScript code embedded within the attribute executes in the user's browser, within the context of the Novu application.</li>
<li>The attacker can leverage the XSS to steal session cookies or inject malicious code into the Novu application.</li>
<li>The attacker can use the Google/GitHub OAuth flows without completing the code callback step, and send that URL to the victim.</li>
<li>By logging into the attacker's account, the prepared XSS payload is triggered.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this XSS vulnerability could allow an attacker to steal sensitive user data, including session cookies and API keys. An attacker can also perform actions on behalf of the victim, such as modifying workflow templates or sending malicious notifications. In scenarios where multiple users have access to the Novu dashboard, the impact can be amplified, leading to widespread compromise of user accounts and sensitive data. The vulnerability affects Novu versions prior to 3.15.0.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Novu to version 3.15.0 or later to patch the XSS vulnerability.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious oncontentvisibilityautostatechange Attribute</code> to your SIEM to detect attempts to exploit this vulnerability via crafted email templates.</li>
<li>Regularly audit and review the sanitization mechanisms within your Novu application to ensure they are effective against new and emerging XSS attack vectors.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>cross-site-scripting</category><category>sanitization</category><category>novu</category></item></channel></rss>