[Security] Stored XSS via Multiple Unescaped Email Template Fields #1073
Description
Security Vulnerability Report
Please treat this as a security concern.
I have discovered multiple Stored Cross-Site Scripting (XSS) vulnerabilities in Hi.Events email templates. Event organizer-controlled content is rendered unescaped in outgoing emails to attendees.
Summary
5 injection points found across email templates — all use Blade raw output without HTML sanitization:
- Custom email template body (custom-template.blade.php:3)
- Event message to attendees (event/message.blade.php:8) — most critical
- Email footer message (EventSettingDomainObject.php) — affects 9 templates
- Offline payment instructions (orders/summary.blade.php:29)
- Post-checkout message (orders/summary.blade.php:49)
Impact
Any event organizer can inject HTML/JS that targets ALL attendees of their events via email. The Send Message feature allows mass exploitation — one click sends malicious content to thousands.
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N — Score: 8.7 (HIGH)
Suggested Fix
Sanitize organizer-controlled content before rendering in email templates using HTMLPurifier or equivalent.
Full Details
I have a detailed report with PoC, affected files/lines, and fix recommendations. Please contact me for the full report, or I can share it via encrypted email using your PGP key from SECURITY.md.
Tested on: Latest version (March 2026)
CWE: CWE-79, CWE-116