Lucene search

K
hackeroneThplessH1:2554003
HistoryJun 17, 2024 - 5:11 a.m.

U.S. Dept Of Defense: HTML Injection into https://www.██████.mil

2024-06-1705:11:14
thpless
hackerone.com
14
html injection
website security
data theft
input validation
output encoding
mitigation

AI Score

7.2

Confidence

High

PoC

You can use the following link:
https://www.██████.mil/search/%2522%253E%253C/form%253E%253Ch1%253EHTML%2520INJECTION%2520IS%2520POSSIBLE%2520!!!%253C/h1%253E%253C/body%253E%253C/form%253E%253C!--

Impact

HTML injection can compromise the security and integrity of a website by allowing attackers to inject malicious HTML code, leading to unauthorized content display, data theft, or user redirection. It can result in a loss of user trust and potentially cause significant damage to a website’s reputation and user base.

System Host(s)

www.████.mil

Affected Product(s) and Version(s)

Wordpress Website

CVE Numbers

Steps to Reproduce

https://www.█████████.mil/search/%2522%253E%253C/form%253E%253Ch1%253EHTML%2520INJECTION%2520IS%2520POSSIBLE%2520!!!%253C/h1%253E%253C/body%253E%253C/form%253E%253C!--

Suggested Mitigation/Remediation Actions

Input validation and output encoding are essential to prevent HTML injection vulnerabilities.

AI Score

7.2

Confidence

High