Summary by customer
We are working on a complete fix.
Html injection in Send email to recipient
Disclosed by
- Engagement Undisclosed
- Disclosed date over 2 years ago
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by rynexx
Can we disclose?
Report details
-
Submitted
-
Target Location
https://withpersona.com -
Target category
Web App
-
VRT
Server-Side Injection > Content Spoofing > Email HTML Injection -
Priority
P4 -
Bug URL
https://app.withpersona.com/ -
Description
Hi team ,
I found a vulnerability on https://app.withpersona.com/Steps to reproduce :
Navigate to https://app.withpersona.com-Inquiries-all quiries
Click on create inquiry
Enable Send email to recipient-again click on create quiry
Input victims email & all other information
In body input this payload & send
payload :
<a href=google.com>click</a>
<img src="https://wallpapercave.com/wp/wp1836582.jpg">- Open victims email -as you can see html injected
Impact : html injection
Watch the video poc for better understanding : 
Activity
- personarohan Customer published the disclosure report
- rynexx requested disclosure
- Persona Jira Integration changed the state to Resolved
- ace_bugcrowd sent a message
- ace_bugcrowd marked the submission a duplicate of a previously submitted report
- ace_bugcrowd changed the state to Unresolved
- ace_bugcrowd updated the submission
- ace_bugcrowd updated VRT to Server-Side Injection > Content Spoofing > Email HTML Injection
- rynexx created the submission
