| Title | Eastnets PaymentSafe 2.5.26.0 HTML Injection |
|---|
| Description | HTML injection attack are closely related to cross-site scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
Step to reproduce:
1. Login to the application.
2. Navigate to "Manual reply" and edit any entry or create a new entry.
3. It has been observed that the application does not allow to input an HTML payload in the title parameter as in the h1 tag.
4. Enter any randon string in the title and intercept the request for save.
5. Here, enter the HTML payload like a h1 tag in the title parameter and forward the request.
6. It can be seen that the application accepts the request/payload and has been executed. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1-4BwJxzKUdVRsi6PYh68mKzeIPAqug1Q/view |
|---|
| User | Upasana (UID 12274) |
|---|
| Submission | 02/17/2025 20:14 (1 Year ago) |
|---|
| Moderation | 03/01/2025 08:40 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 298065 [Eastnets PaymentSafe 2.5.26.0 Edit Manual Reply /directRouter.rfc Title cross site scripting] |
|---|
| Points | 20 |
|---|