Html Injection to Open redirect in alextselegidis/easyappointments

Valid

Reported on

Mar 24th 2023

Description

Step to reproduce.

  1. https://demo.easyappointments.org/index.php/backend/index open this and click on create meet.
  2. On first name add Open redirect payload save it.

<a href=https://evil.com>click me</a>

Impact

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 2 months ago
Alex Tselegidis modified the Severity from High (7.6) to High (7.6) 2 months ago
Alex Tselegidis validated this vulnerability 2 months ago
Rahul Parmar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 2255c8 2 months ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability will not receive a CVE
Alex Tselegidis published this vulnerability 2 months ago
Rahul Parmar
2 months ago

Researcher

Can you please give CVE ID for this?

to join this conversation