CVE-2023-41316

Public Exploit
HTML Injection with email in Tolgee

Description

Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.17%
Vendor Advisory github.com
Affected: tolgee tolgee-platform
Published at:
Updated at:

References

Link Tags
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-gx3w-rwh5-w5cg vendor advisory exploit
https://github.com/tolgee/tolgee-platform/commit/bab718b1c9b3e90327bfb10d27b9799996e5c35b patch

Frequently Asked Questions

What is the severity of CVE-2023-41316?
CVE-2023-41316 has been scored as a medium severity vulnerability.
How to fix CVE-2023-41316?
To fix CVE-2023-41316, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-41316 being actively exploited in the wild?
It is possible that CVE-2023-41316 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-41316?
CVE-2023-41316 affects tolgee tolgee-platform.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.