| タイトル | Eastnets PaymentSafe 2.5.26.0 HTML Injection |
|---|
| 説明 | HTML injection attack are closely related to cross-site scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
Step to reproduce:
1. Login to the application.
2. Navigate to "Manual reply" and edit any entry or create a new entry.
3. It has been observed that the application does not allow to input an HTML payload in the title parameter as in the h1 tag.
4. Enter any randon string in the title and intercept the request for save.
5. Here, enter the HTML payload like a h1 tag in the title parameter and forward the request.
6. It can be seen that the application accepts the request/payload and has been executed. |
|---|
| ソース | ⚠️ https://drive.google.com/file/d/1-4BwJxzKUdVRsi6PYh68mKzeIPAqug1Q/view |
|---|
| ユーザー | Upasana (UID 12274) |
|---|
| 送信 | 2025年02月17日 20:14 (1 年 ago) |
|---|
| モデレーション | 2025年03月01日 08:40 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 298065 [Eastnets PaymentSafe 2.5.26.0 Edit Manual Reply /directRouter.rfc タイトル クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|