I was able to edit the contents of the "Invite Collaborators" mail, by using HTML code as my first name. By exploiting this vulnerability, an attacker could send an email with custom text/html code from
firstname.lastname@example.org (from the RelateIQ server) to any recipient. This can be used for phishing attacks (see attachment: example.png).
Steps to reproduce:
 Register as a new user  When asked for a name, enter exploit code in first name field (see attachment: step2.png).
For this demonstration I will use a simple example:
You have been hacked. Click <a href="http://phishing-site">here</a> to reset your password.<div style="display:none">
 Go through the final steps  Go to home and send an invite to the target (see attachment: step4.png)
The target will now receive the phishing email (see attachment: email.png). In this simple example it is obvious that the email is fake, but better exploit code can be easily written.