Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKurogaiH1:2417864
HistoryMar 15, 2024 - 7:51 a.m.

U.S. Dept Of Defense: Reflected XSS on error message on Login Page

2024-03-1507:51:53
kurogai
hackerone.com
4
reflected xss
login page
javascript injection
user cookies
website defacement
mitigation.

6 Medium

AI Score

Confidence

High

JSON

Greetings!

I’ve found a reflected XSS on a login page on█████ . The vulnerable link is: https://███████/users/login?error=<img src>

█████████

Impact

An attacker can inject crafted javascript that can steal user cookies, impersionate, steal information, deface the website and redirect user to another domain

System Host(s)

██████████

Affected Product(s) and Version(s)

CVE Numbers

Steps to Reproduce

Access https://██████/users/login?error=<img src>

Suggested Mitigation/Remediation Actions

Sanitize the output with htmlspecialchars();

6 Medium

AI Score

Confidence

High

JSON