HTML Injection Vulnerability in welcome email
Summary:
This report outlines the discovery of an HTML Injection vulnerability within the target application. The vulnerability allows an attacker to inject malicious HTML code into user interfaces, potentially leading to various security risks. This report provides details on the vulnerability, steps to reproduce it, and its potential impact, along with recommendations for remediation.
Vulnerability Detail:
Vulnerability Type: HTML Injection Vulnerable Affected URL: https://accounts.eclipse.org/user/register?destination=user
Steps To Reproduce:
- Navigate to this url: [https://accounts.eclipse.org/user/register?destination=user]
- Enter Your Information, But in First name & Last name field insert the html injection payload as follows:-
First name = ( <a href=”evil.com”><h1>Please click here to login to your account<h1></a> )
Last name = ( <!-- )
- After that, the confirmation link is sent to the mentioned Gmail account.
- Then the email is received by the victim, where the payload is successfully executed.
Impact:
The HTML Injection vulnerability can have various impacts, including but not limited to:
- Manipulation of the application's appearance and behavior, leading to user confusion or deception.
- Defacement of web pages, impacting the application's reputation and user trust.
Edited by Christopher Guindon