Hyperlink injection through access token name in ikus060/rdiffweb


Reported on

Dec 20th 2022


Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users.

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens
2) Create a new access token with name "evil.com"
3) You will see that an email will trigger on the registered email with the hyperlink injected successfully 
4) Click on the hyperlink and you will be redirected to a malicious website

# Impact

This vulnerability allows an attacker to redirect a victim to malicious website
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 20 days ago
Patrik Dufresne validated this vulnerability 19 days ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.5.5 with commit 6afaae 17 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 17 days ago
to join this conversation