Summary

Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims.
At this moment registered user (as a bad actor) can attack (victim) with real email from Tolgee - HTML Injection (Server-Side Injection - Content Spoofing).

Details

Occurrences:
https://github.com/tolgee/tolgee-platform/blob/main/backend/data/src/main/kotlin/io/tolgee/component/email/InvitationEmailSender.kt#L26

PoC

Payload example (name of Org - from invitation): Org<a href="www.github.com">s

Repro steps:

1. As logged in user Create New Org https://app.tolgee.io/organizations/add for Name field use HTML Injection payload (provided above).
2. Next go to https://app.tolgee.io/organizations/[NAME]/profile - this Org Settings and click Organization members - click btn INVITE USER and type email address there.
3. Receive and open email with invitation - see HTML Injected. (Please use second Test email for Repro steps here)

Result - screenshot:

For Repro steps please use own emails, but please notice that bad actors can make this with victims email addresses (which not own).

Proposed remediation: Sanitize/purify mentioned input data from users - don't allow to this.

Impact

Bad actors can use this to phishing actions for example. Email is really send from Tolgee, but bad actors can add there HTML code injected.

Additional informations:
References:
CAPEC-242: Code Injection - https://capec.mitre.org/data/definitions/242.html
Server-Side Injection Content Spoofing Email HTML Injection - https://bugcrowd.com/vulnerability-rating-taxonomy
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html

Best regards,