Summary by CryptoKnight028
HTML injection via confirmed account email
- Engagement Department of Interior: Vulnerability Disclosure Program
- Disclosed date over 3 years ago
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
*.doi.gov -
Target category
Web App
-
VRT
Server-Side Injection > Content Spoofing > Email HTML Injection -
Priority
P4 -
Bug URL
https://edoiu.doi.gov/ -
Description
Hi team,
I found html injection on edoiu account request approved email .Steps_to_produce :
1) Go to page (https://edoiu.doi.gov/login/signup.php)
2) Type html payload in "username" field
<h1>USERNAME</h1> or <a href="www.evil.com">
3) Then click on request account
4) After 1-2 days ,account approved mail will come in that you can see html code is executed in mail .Impact :
1) This vulnerability can lead to the reformatting/editing of emails from an official email address, which can be used in targeted phishing attacks.
2) This could lead to users being tricked into giving logins away to malicious attackers.Image is attached as poc .
Activity
- DOI_RPI Customer published the disclosure report
- CryptoKnight028 requested disclosure
- DOI_RPI Customer sent a message
- DOI_RPI Customer changed the state to Resolved
- DOI_RPI Customer sent a message
- IOS_DOI_KM Customer changed the state to Unresolved
- IOS_DOI_KM Customer changed the state to Triaged
- IOS_DOI_KM Customer changed the state to Unresolved
- chickenJoe sent a message
- chickenJoe changed the state to Triaged
- chickenJoe updated the submission
- CryptoKnight028 created the submission
