Html Injection Reflected in Login Page in froxlor/froxlor
Valid
Reported on
Nov 4th 2022
Description
HTML Injection is a vulnerability in which the attacker can inject malicious html content in the login webpage.
Proof of Concept
#Navigate to:
https://demo.froxlor.org/index.php?showmessage=4&customermail=%22%3Cmarquee%3E%3Ch3%3EHTML/INJECTION/HERE%22@x.y
Impact
They can manipulate a trustful but vulnerable website against HTML Injection. They can create a fake webpage by using stored HTML Injection or they achieve XSS. After achieving XSS threat actors can steal cookies, hijack accounts, steal credentials and other sensitive information. Or an attacker can use tag <a href="http://evil.com">click here to get gift</a> it attack phishing to redirect the victim to another website.
We are processing your report and will contact the
froxlor
team within 24 hours.
6 months ago
Hakiduck modified the report
6 months ago
We have contacted a member of the
froxlor
team and are waiting to hear back
6 months ago
I've patched the referenced report 9 days ago, yesterday was the release, why report this today?
Hakiduck
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation