HTML Injection in Apache Answer Notification Emails

Successful exploitation allows an authenticated attacker to alter the HTML content of notification emails delivered to other Apache Answer users. This can enable phishing, content spoofing, insertion of malicious or deceptive links, and other email-based social engineering. In email clients that render injected HTML permissively, the attacker may increase the credibility of malicious content or abuse script-related markup handling, though the primary demonstrated impact is arbitrary HTML injection into outbound emails.

If immediate upgrade is not possible, reduce exposure by disabling or restricting notification emails that include user-generated content, applying server-side sanitization or escaping to all user-controlled fields before they are inserted into email templates, and limiting the ability of untrusted or low-trust authenticated users to generate content that triggers outbound notifications. These are interim measures; the vendor-recommended fix is upgrading to 2.0.1.

Upgrade Apache Answer to version 2.0.1 or later. Apache states that version 2.0.1 fixes the issue by addressing the improper escaping of user-controlled content included in notification emails.