{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/novu/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Novu"],"_cs_severities":["high"],"_cs_tags":["xss","cross-site-scripting","sanitization","novu"],"_cs_type":"advisory","_cs_vendors":["Novu"],"content_html":"\u003cp\u003eA cross-site scripting (XSS) vulnerability has been identified in Novu versions prior to 3.15.0. The vulnerability stems from incomplete sanitization of HTML attributes within the email preview functionality. Specifically, the application fails to properly sanitize the \u003ccode\u003eoncontentvisibilityautostatechange=\u003c/code\u003e attribute, allowing an attacker to inject arbitrary JavaScript code. This injected code executes when a user views an email containing the malicious HTML, potentially leading to account takeover or other malicious activities. This is more impactful than a self-XSS because an attacker can craft a URL that, when visited, logs the victim into the attacker's account and triggers the XSS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTML payload containing the \u003ccode\u003eoncontentvisibilityautostatechange=\u003c/code\u003e attribute with embedded JavaScript.\u003c/li\u003e\n\u003cli\u003eThe attacker injects this payload into the body of an email template within the Novu workflow editor.\u003c/li\u003e\n\u003cli\u003eA user views the email template preview or receives an email generated from the compromised template.\u003c/li\u003e\n\u003cli\u003eThe user's browser parses the HTML, including the unsanitized \u003ccode\u003eoncontentvisibilityautostatechange=\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code embedded within the attribute executes in the user's browser, within the context of the Novu application.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the XSS to steal session cookies or inject malicious code into the Novu application.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the Google/GitHub OAuth flows without completing the code callback step, and send that URL to the victim.\u003c/li\u003e\n\u003cli\u003eBy logging into the attacker's account, the prepared XSS payload is triggered.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability could allow an attacker to steal sensitive user data, including session cookies and API keys. An attacker can also perform actions on behalf of the victim, such as modifying workflow templates or sending malicious notifications. In scenarios where multiple users have access to the Novu dashboard, the impact can be amplified, leading to widespread compromise of user accounts and sensitive data. The vulnerability affects Novu versions prior to 3.15.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Novu to version 3.15.0 or later to patch the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious oncontentvisibilityautostatechange Attribute\u003c/code\u003e to your SIEM to detect attempts to exploit this vulnerability via crafted email templates.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the sanitization mechanisms within your Novu application to ensure they are effective against new and emerging XSS attack vectors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-novu-xss/","summary":"A cross-site scripting (XSS) vulnerability exists in Novu due to incomplete sanitization of HTML attributes in email previews, allowing arbitrary JavaScript execution.","title":"Novu XSS Vulnerability via Incomplete Sanitization","url":"https://feed.craftedsignal.io/briefs/2024-01-09-novu-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Novu","version":"https://jsonfeed.org/version/1.1"}