Html Injection lead to cross site scripting in erudika/para


Reported on

May 14th 2022


Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim

Proof of Concept

  1. Goto and in name field add this payload

<form action="" method="post"> <label for="username">Username:</label> <input class="userbox" type="text" name="username"/><br /> <label for="password">Password:</label> <input type="text" name="password" > <input class="button" type="submit" value="submit" /> </form>

  1. Enter email of victim and create new account
  1. Now goto mail and check you will see our code has been rendered as html
  1. Submit form and xss

// PoC.js var payload = ... ```


Cross site scripting used to steal users cookies which will eventually lead to account takeover

We are processing your report and will contact the erudika/para team within 24 hours. 2 years ago
Distorted_Hacker modified the report
2 years ago
We have contacted a member of the erudika/para team and are waiting to hear back 2 years ago
Alex Bogdanovski validated this vulnerability 2 years ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski marked this as fixed in v1.45.11 with commit 9d844f 2 years ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Hi @admin can you please assign a CVE

Jamie Slome
2 years ago


Sorted 👍

to join this conversation