Name of the Vulnerable Software and Affected Versions:

Tolgee versions prior to 3.29.2

Description:

Tolgee is an open-source localization platform. Due to a lack of validation in the `Org Name` field, a bad actor can send emails with HTML injected code to victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users, which ends up in invitation emails appearing as legitimate org invitations. Bad actors may direct users to a malicious website or execute JavaScript in the context of the user's browser.

Recommendations:

For versions prior to 3.29.2, upgrade to version 3.29.2 to address the vulnerability. As a temporary workaround, consider restricting the use of the `Org Name` field until the upgrade is applied. Avoid using the `Org Name` field in a way that could allow HTML injection until the issue is resolved.