LocalTapiola: HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi)

ID H1:181810
Type hackerone
Reporter bobrov
Modified 2016-12-10T10:57:20


Steps to reproduce 1. Open link http://viestinta.lahitapiola.fi/webApp/lahti 2. Set "Etunimi" <a href="//bf.am">Welcome</a> 3. Set "Sähköposti" to victim email 4. Other fields may be arbitrary 5. Submit form


Result Victim receive an email from tilaisuudet.markkinointi@lahitapiola.fi which contains a link to a fake site.