Inbox XSS With Variables

The XSS inbox variable vulnerability allows malicious code to be executed within an inbox notification when the message is opened if the code is included as part of a data variable. This contrasts with directly placing the same code in the inbox template, which renders the code without executing it.

A customer reported the issue and demonstrated using an iframe with a JavaScript alert payload. To reproduce the issue, you must create an inbox template, reference a variable in the template's body, send a data payload containing the malicious code, and then open the inbox message where the code execution occurs. The issue was with our Inbox and Components implementations on version 6.2.1. The release does not fix customers who have implemented their Inbox on top of our APIs; they will need to implement a similar XSS fix if affected. Please reach out to Courier Support for help.