Description

Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users.

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens
2) Create a new access token with name "evil.com"
3) You will see that an email will trigger on the registered email with the hyperlink injected successfully 
4) Click on the hyperlink and you will be redirected to a malicious website