Hyperlink injection through access token name in ikus060/rdiffweb
Dec 20th 2022
Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users.
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens 2) Create a new access token with name "evil.com" 3) You will see that an email will trigger on the registered email with the hyperlink injected successfully 4) Click on the hyperlink and you will be redirected to a malicious website # Impact This vulnerability allows an attacker to redirect a victim to malicious website