Hyperlink injection through access token name in ikus060/rdiffweb

Valid

Reported on

Dec 20th 2022

Description

Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users.

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens
2) Create a new access token with name "evil.com"
3) You will see that an email will trigger on the registered email with the hyperlink injected successfully 
4) Click on the hyperlink and you will be redirected to a malicious website




# Impact

This vulnerability allows an attacker to redirect a victim to malicious website

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 20 days ago

Patrik Dufresne validated this vulnerability 19 days ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne marked this as fixed in 2.5.5 with commit 6afaae 17 days ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability 17 days ago

to join this conversation