| Название | Eastnets PaymentSafe 2.5.26.0 HTML Injection |
|---|
| Описание | HTML injection attack are closely related to cross-site scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
Step to reproduce:
1. Login to the application.
2. Navigate to "Manual reply" and edit any entry or create a new entry.
3. It has been observed that the application does not allow to input an HTML payload in the title parameter as in the h1 tag.
4. Enter any randon string in the title and intercept the request for save.
5. Here, enter the HTML payload like a h1 tag in the title parameter and forward the request.
6. It can be seen that the application accepts the request/payload and has been executed. |
|---|
| Источник | ⚠️ https://drive.google.com/file/d/1-4BwJxzKUdVRsi6PYh68mKzeIPAqug1Q/view |
|---|
| Пользователь | Upasana (UID 12274) |
|---|
| Представление | 17.02.2025 20:14 (1 Год назад) |
|---|
| Модерация | 01.03.2025 08:40 (12 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 298065 [Eastnets PaymentSafe 2.5.26.0 Edit Manual Reply /directRouter.rfc Название межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|