Summary by GKData
Authenticated team owner on https://www.globe.gov can inject arbitrary HTML via "Message Body" in Email Team modal, sending to any team member without consent through official globe.gov email. HTML renders in received emails, enabling visual spoofing. Medium severity; escalates to High in admin/webmail contexts (potential XSS).
Safe PoC:
<h1 style="font-size:32px; color:#d00; font-family:Arial, sans-serif; text-align:center; text-shadow:1px 1px 2px #000;"> Security Alert: Action Required </h1>