LocalTapiola: HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi)

2016-11-12T19:13:49
ID H1:181810
Type hackerone
Reporter bobrov
Modified 2016-12-10T10:57:20

Description

Steps to reproduce 1. Open link http://viestinta.lahitapiola.fi/webApp/lahti 2. Set "Etunimi" <a href="//bf.am">Welcome</a> 3. Set "Sähköposti" to victim email 4. Other fields may be arbitrary 5. Submit form

{F134348}

Result Victim receive an email from tilaisuudet.markkinointi@lahitapiola.fi which contains a link to a fake site.

{F134349}