Summary by CryptoKnight028
HTML injection via confirmed account email
html injection in [https://edoiu.doi.gov/login/signup.php]
Disclosed by CryptoKnight028- Program Department of Interior: Vulnerability Disclosure Program
- Disclosed date over 2 years ago
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
*.doi.gov -
Target category
Web App
-
VRT
Server-Side Injection > Content Spoofing > Email HTML Injection -
Priority
P4 -
Bug URL
https://edoiu.doi.gov/ -
Description
Hi team,
I found html injection on edoiu account request approved email .Steps_to_produce :
1) Go to page (https://edoiu.doi.gov/login/signup.php)
2) Type html payload in "username" field
<h1>USERNAME</h1> or <a href="www.evil.com">
3) Then click on request account
4) After 1-2 days ,account approved mail will come in that you can see html code is executed in mail .Impact :
1) This vulnerability can lead to the reformatting/editing of emails from an official email address, which can be used in targeted phishing attacks.
2) This could lead to users being tricked into giving logins away to malicious attackers.Image is attached as poc .