CVE-2023-48226

Name of the Vulnerable Software and Affected Versions OpenReplay version 1.14.0

Description OpenReplay is a self-hosted session replay suite. Due to a lack of validation in the Name field in Account Settings, a bad actor can send emails with HTML injected code to victims. This can be used for phishing actions. Although the email is sent from OpenReplay, bad actors can inject HTML code, allowing for content spoofing. It appears that during registration, the FullName field has correct validation, but bad actors can bypass this to achieve their goals.

Recommendations For OpenReplay version 1.14.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.