Summary by CryptoKnight028
HTML injection via confirmed account email
HTML injection via confirmed account email
*.doi.gov
Web App
https://edoiu.doi.gov/
Hi team,
I found html injection on edoiu account request approved email .
Steps_to_produce :
1) Go to page (https://edoiu.doi.gov/login/signup.php)
2) Type html payload in "username" field
<h1>USERNAME</h1> or <a href="www.evil.com">
3) Then click on request account
4) After 1-2 days ,account approved mail will come in that you can see html code is executed in mail .
Impact :
1) This vulnerability can lead to the reformatting/editing of emails from an official email address, which can be used in targeted phishing attacks.
2) This could lead to users being tricked into giving logins away to malicious attackers.
Image is attached as poc .