Html Injection Stored in edit customers in froxlor/froxlor

Valid

Reported on

Oct 26th 2022

Description

HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.

Proof of Concept

1. Open tab Edit Customers, click Edit customer
2. Inject this payload at field Name: <marquee>TEST TEST TEST</marquee>. And then click Save
3. Go to the profile page of this customer,  you will see the payload executed.

Video POC: https://drive.google.com/file/d/1PQsCXKOrcZb80xj91vzjIaDGEN562h2Y/view?usp=sharing

Impact

They can manipulate a trustful but vulnerable website against HTML Injection. They can create a fake webpage by using stored HTML Injection or they achieve XSS. After achieving XSS threat actors can steal cookies, hijack accounts, steal credentials and other sensitive information. Or an attacker can use tag <a href="http://evil.com">click here to get gift</a> it attack phishing to redirect the victim to another website.

We are processing your report and will contact the froxlor team within 24 hours. a year ago

Hoang Van Hiep modified the report

a year ago

We have contacted a member of the froxlor team and are waiting to hear back a year ago

Michael Kaufmann validated this vulnerability a year ago

Hoang Van Hiep has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Michael Kaufmann marked this as fixed in 0.10.39 with commit 118245 a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Michael Kaufmann published this vulnerability a year ago

to join this conversation