Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[CRITICAL] C7: Plaintext passwords sent in new-user welcome emails #332

Description

@rubenvdlinde

Severity: CRITICAL

Location: lib/Service/SymfonyEmailService.php lines 932–1046 (template rendering lines 155–172); lib/Service/SoftwareCatalogue/ContactPersonHandler.php lines 466–467

Description:
The new-user welcome email template contains {{ user.password }}, which injects the plaintext password into the email body. The password is generated at ContactPersonHandler.php:466 and passed directly into the email template.

Email is inherently unencrypted in transit. Combined with C5 (SMTP repointing), an attacker who redirects outbound mail captures every new user's plaintext password the moment the account is created.

Scenario:

  1. Admin creates a new contact/user account.
  2. System sends welcome email containing Password: <plaintext>.
  3. Attacker (having exploited C5) or any email intermediary reads the password.
  4. Attacker logs in as the new user.

Suggested fix:

  • Never include credentials in email bodies.
  • Send a one-time activation link with a short TTL instead.
  • Remove {{ user.password }} from the email template and all related template variables.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions