• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 2 replies
  • Subscribers 14 subscribers
  • Views 238 views
  • Users 0 members are here
Options
Related

Emails flagged by member's security team

Alex Nassi

I'm wondering if anyone has any thoughts/ideas on this. I had a member reach out to me, saying that the email notifications for two recently posted events were flagged by his security team. The event description was mostly the same for the two events (two instances of the same event, hosted in different locations). The event had <h3> headers which also contained emoticons, e.g.:

<h3 id="mcetoc_1j1jmocsa0">[emoticon:3c913c0db7eb4f9face51746da287257] What We Covered</h3>

He said his IT team told him:

"The basis of the detection was the .svg files and our motive was to verify if the files with .svg extension are legitimate or not.
No other details on the email have been flagged as suspicious.
As the .svg files are being shared over emails these days as an attack vector, this instance was highlighted from our side."

I've never had this reported to me before, and I'm not sure if anyone else was impacted by this. The member had his IT team add our emails to their "allow list," but I'm curious if, other than not adding emoticons to posts, anyone else has experienced and addressed this before? Is his security team overly cautious, or is this kind of issue going to happen more and more due to security updates?

I'm currently on 12.1.4.25057 in case that makes a difference. https://sugarclub.sugarcrm.com/engage/c/e/6333 is the event in question, in case anyone wants to see.

Thanks!



Added link to event
[edited by: Alex Nassi at 2:37 PM (GMT 0) on Thu, Aug 14 2025]
Parents
  • +1
    Alex Nassi said:
    anyone else has experienced and addressed this before?

    I am usually aware of issues with e-mail, but they tend to be 'rendering' problems, and also embedding JavaScript is often blocked.

    This does appear to be an attack vector though: https://www.cloudflare.com/en-gb/threat-intelligence/research/report/svgs-the-hackers-canvas/ , (adjacent cve stating javascript can be embedded in svg https://nvd.nist.gov/vuln/detail/CVE-2025-28010 ) and on principle I disable sending the content of posts to the user, I only send the title, if anything.

    I mainly do this so I'm not sending the user spam that's been posted onto the site, and with the recent UK Online Safety Act, stopping any illegitimate content before its sent to the user is paramount anyway.

    I don't know if v13's e-mail studio would give you more granular control over this, but it does appear we need a 'filter' on content sent out that excludes file types.

    I would raise this as a support ticket as I see it as crucial to the platform to give that level of control and security, someone could embed a malicious svg into the Community, and that could be sent to the user if you're not careful. Though you'll possibly be asked to raise it as an idea instead.

  • 0 in reply to Christopher G. Stanton

    This is great,  , very thorough, thank you so much! 

    Christopher G. Stanton said:

    on principle I disable sending the content of posts to the user, I only send the title, if anything.

    I mainly do this so I'm not sending the user spam that's been posted onto the site,

    Great point. The spam part is not as much of an issue on my site since I have moderation set for all users who are not already known contacts in our CRM (I'm not very concerned about our legitimate customers sending spam), but it could also be thought about from the engagement perspective. If I'm reading the body of an email notification and only have a title (or maybe the first 100-200 characters of the post), am I going to click through to read the whole post? Or am I going to ignore it and not go to the site, even if I may know the answer if I read further?

    I probably need more insight from my site and members about how much traffic comes from email clicks versus people just being on the site and what member's workflows look like. 

    Christopher G. Stanton said:
    but it does appear we need a 'filter' on content sent out that excludes file types.

    That'd be great, and ideally, some sort of indicator like "to see this [image], view this post online"

    Christopher G. Stanton said:
    I would raise this as a support ticket as I see it as crucial to the platform to give that level of control and security, someone could embed a malicious svg into the Community, and that could be sent to the user if you're not careful. Though you'll possibly be asked to raise it as an idea instead.

    Good call, I'll raise it as a ticket and see what happens.

    Thanks for the help!

Reply
  • 0 in reply to Christopher G. Stanton

    This is great,  , very thorough, thank you so much! 

    Christopher G. Stanton said:

    on principle I disable sending the content of posts to the user, I only send the title, if anything.

    I mainly do this so I'm not sending the user spam that's been posted onto the site,

    Great point. The spam part is not as much of an issue on my site since I have moderation set for all users who are not already known contacts in our CRM (I'm not very concerned about our legitimate customers sending spam), but it could also be thought about from the engagement perspective. If I'm reading the body of an email notification and only have a title (or maybe the first 100-200 characters of the post), am I going to click through to read the whole post? Or am I going to ignore it and not go to the site, even if I may know the answer if I read further?

    I probably need more insight from my site and members about how much traffic comes from email clicks versus people just being on the site and what member's workflows look like. 

    Christopher G. Stanton said:
    but it does appear we need a 'filter' on content sent out that excludes file types.

    That'd be great, and ideally, some sort of indicator like "to see this [image], view this post online"

    Christopher G. Stanton said:
    I would raise this as a support ticket as I see it as crucial to the platform to give that level of control and security, someone could embed a malicious svg into the Community, and that could be sent to the user if you're not careful. Though you'll possibly be asked to raise it as an idea instead.

    Good call, I'll raise it as a ticket and see what happens.

    Thanks for the help!

Children
No Data

About
Privacy Policy
Terms of use
Copyright 2025 Verint, Inc.
Powered by Verint Community