ghsa-26xq-m8xw-6373
Vulnerability from github
Published
2025-03-11 20:31
Modified
2025-06-03 17:35
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Summary
Froxlor has an HTML Injection Vulnerability
Details

Summary

An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication.

Observation

It is observed that in the portal of the customer account, there is a functionality in the email section to create an email address that accepts user input. By intercepting the request and modifying the "domain" field with an HTML injection payload containing an anchor tag, the injected payload is reflected on an error page. When clicked, it redirects users to an external website, confirming the presence of an HTML Injection vulnerability.

PoC

  1. Navigate to the Email section in the Customer Account Portal and create a new email address.

  2. Enter any garbage value in the required field and intercept the request using Burp Suite.

  3. Locate the "domain" field in the intercepted request and replace its value with the following HTML Injection payload:

    <a href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x77;&#x77;&#x77;&#x2e;&#x67;&#x6f;&#x6f;&#x67;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;">CLiCK</a>

  4. Forward the modified request and observe that the injected payload is reflected on an error page.

  5. Click on the displayed "CLiCK" link to verify that it redirects to https://www.google.com, confirming the presence of HTML Injection.

Impact

An attacker can exploit this HTML Injection vulnerability to manipulate the portal’s content, conduct phishing attacks, deface the application, or trick users into clicking malicious links. This can lead to credential theft, malware distribution, reputational damage, and potential compliance violations. The users of the customer account portal are impacted by this vulnerability. Specifically, any user who interacts with the email section of the portal may be tricked into clicking malicious links, leading to potential phishing attacks, credential theft, and exposure to other malicious activities. The organization hosting the portal could also be impacted by reputational damage and compliance violations.

Recommendation

It is recommended to implement proper input validation and output encoding to prevent HTML Injection. The application should sanitize user input by stripping or escaping HTML tags before rendering it on the page.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T20:31:08Z",
    "nvd_published_at": "2025-06-02T12:15:25Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n_An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication._\n\n### Observation\n_It is observed that in the portal of the customer account, there is a functionality in the email section to create an email address that accepts user input. By intercepting the request and modifying the \"domain\" field with an HTML injection payload containing an anchor tag, the injected payload is reflected on an error page. When clicked, it redirects users to an external website, confirming the presence of an HTML Injection vulnerability._\n\n### PoC\n1. Navigate to the Email section in the Customer Account Portal and create a new email address.\n\n2. Enter any garbage value in the required field and intercept the request using Burp Suite.\n\n3. Locate the \"domain\" field in the intercepted request and replace its value with the following HTML Injection payload:\n\n\t`\u003ca href=\"\u0026#x68;\u0026#x74;\u0026#x74;\u0026#x70;\u0026#x73;\u0026#x3a;\u0026#x2f;\u0026#x2f;\u0026#x77;\u0026#x77;\u0026#x77;\u0026#x2e;\u0026#x67;\u0026#x6f;\u0026#x6f;\u0026#x67;\u0026#x6c;\u0026#x65;\u0026#x2e;\u0026#x63;\u0026#x6f;\u0026#x6d;\"\u003eCLiCK\u003c/a\u003e`\n\n4. Forward the modified request and observe that the injected payload is reflected on an error page.\n\n5. Click on the displayed \"CLiCK\" link to verify that it redirects to `https://www.google.com`, confirming the presence of HTML [Injection.]([url]([froxlor_HTML-INJECTION.mp4.zip](https://github.com/user-attachments/files/18311429/froxlor_HTML-INJECTION.mp4.zip)))\n\n### Impact\n_An attacker can exploit this HTML Injection vulnerability to manipulate the portal\u2019s content, conduct phishing attacks, deface the application, or trick users into clicking malicious links. This can lead to credential theft, malware distribution, reputational damage, and potential compliance violations.\nThe users of the customer account portal are impacted by this vulnerability. Specifically, any user who interacts with the email section of the portal may be tricked into clicking malicious links, leading to potential phishing attacks, credential theft, and exposure to other malicious activities. The organization hosting the portal could also be impacted by reputational damage and compliance violations._\n\n### Recommendation\n_It is recommended to implement proper input validation and output encoding to prevent HTML Injection. The application should sanitize user input by stripping or escaping HTML tags before rendering it on the page._",
  "id": "GHSA-26xq-m8xw-6373",
  "modified": "2025-06-03T17:35:31Z",
  "published": "2025-03-11T20:31:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/Froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor has an HTML Injection Vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.