Open brycematheson opened 1 year ago
sync667
commented
1 year ago That is not right if i'm not wrong in my checks problem has to be on your side. Function that parse that redirect do not have any injects other that url you have in your emails or default that is in config. So i is possible that you had security problem on other side so you app sends emails with that phishing links not the plugin itself.
brycematheson
commented
1 year ago I disagree. After removing your package, the issue resolved itself. Along with that, another user reported the same here: https://github.com/jdavidbakr/mail-tracker/issues/201
It's most certainly an issue within the package itself. We've removed it and will not be reinstalling it until the vulnerability is patched.
brycematheson
commented
3 months ago I can't believe this is still not resolved. I've loved using the package in the past, and would like to continue using it going forward, but not until this is fixed. It's taken me months to get whitelisted with ISPs again because of the breach.
jdavidbakr
commented
3 months ago PR's are always appreciated. Unfortunately I'm spread too thin at the moment to address this.
When this package is installed, http://.com/email/n?l=https%3A%2F%2Fbafkreia3npf5ze77wak4mvqezytipp2fbmhikq5w3bshbdfx2zz72krdsi.ipfs.dweb.link%2F%3Ffilename%3Dana.html#kelly@trypotstudios.com
redirects to:
https://bafkreia3npf5ze77wak4mvqezytipp2fbmhikq5w3bshbdfx2zz72krdsi.ipfs.dweb.link/?filename=ana.html#kelly@trypotstudios.com
I finally discovered the issue, but my site was down for 48 hours due to my domain registrar suspending our domain for abuse/phishing. Please fix ASAP.