You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
The new-user welcome email template contains {{ user.password }}, which injects the plaintext password into the email body. The password is generated at ContactPersonHandler.php:466 and passed directly into the email template.
Email is inherently unencrypted in transit. Combined with C5 (SMTP repointing), an attacker who redirects outbound mail captures every new user's plaintext password the moment the account is created.
Scenario:
Admin creates a new contact/user account.
System sends welcome email containing Password: <plaintext>.
Attacker (having exploited C5) or any email intermediary reads the password.
Attacker logs in as the new user.
Suggested fix:
Never include credentials in email bodies.
Send a one-time activation link with a short TTL instead.
Remove {{ user.password }} from the email template and all related template variables.
Severity: CRITICAL
Location:
lib/Service/SymfonyEmailService.phplines 932–1046 (template rendering lines 155–172);lib/Service/SoftwareCatalogue/ContactPersonHandler.phplines 466–467Description:
The new-user welcome email template contains
{{ user.password }}, which injects the plaintext password into the email body. The password is generated atContactPersonHandler.php:466and passed directly into the email template.Email is inherently unencrypted in transit. Combined with C5 (SMTP repointing), an attacker who redirects outbound mail captures every new user's plaintext password the moment the account is created.
Scenario:
Password: <plaintext>.Suggested fix:
{{ user.password }}from the email template and all related template variables.Source: deep team-reviewer pass 2026-05-27