Mail Header Injection (IAST)

Severity: Critical

Invicti identified that the web application is vulnerable to Email Header Injection. Email Header Injection is a security vulnerability that allows a malicious user to tamper with the email messages that are sent from the web application by injecting additional SMTP/IMAP headers. A malicious spammer could potentially use this tactic to send large numbers of messages anonymously.


Unvalidated user input is used when composing the content of the mail messages that are sent from this web application. Therefore, it's possible for a remote attacker to inject custom SMTP/IMAP headers. For example, an attacker can inject additional email recipients and use the script for sending spam.

Actions To Take#

You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works