CVE-2023-35948

Name of the Vulnerable Software and Affected Versions Novu versions prior to 0.16.0

Description Novu provides an API for sending notifications through multiple channels. The "Sign In with GitHub" functionality of Novu's open-source repository contains an open redirect issue. This could have allowed an attacker to force a victim into opening a malicious URL, potentially logging into the repository under the victim's account and gaining full control of the account. The vulnerability only affects Novu Cloud and Open-Source deployments where the user has manually enabled GitHub OAuth on their self-hosted instance.

Recommendations For versions prior to 0.16.0, upgrade to version 0.16.0 to receive a patch. As a temporary workaround, consider disabling the "Sign In with GitHub" functionality until the patch is applied. Restrict access to the GitHub OAuth feature on self-hosted instances to minimize the risk of exploitation.