GHSA-26XQ-M8XW-6373
Vulnerability from github – Published: 2025-03-11 20:31 – Updated: 2025-06-03 17:35Summary
An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication.
Observation
It is observed that in the portal of the customer account, there is a functionality in the email section to create an email address that accepts user input. By intercepting the request and modifying the "domain" field with an HTML injection payload containing an anchor tag, the injected payload is reflected on an error page. When clicked, it redirects users to an external website, confirming the presence of an HTML Injection vulnerability.
PoC
-
Navigate to the Email section in the Customer Account Portal and create a new email address.
-
Enter any garbage value in the required field and intercept the request using Burp Suite.
-
Locate the "domain" field in the intercepted request and replace its value with the following HTML Injection payload:
<a href="https://www.google.com">CLiCK</a> -
Forward the modified request and observe that the injected payload is reflected on an error page.
-
Click on the displayed "CLiCK" link to verify that it redirects to
https://www.google.com, confirming the presence of HTML Injection.
Impact
An attacker can exploit this HTML Injection vulnerability to manipulate the portal’s content, conduct phishing attacks, deface the application, or trick users into clicking malicious links. This can lead to credential theft, malware distribution, reputational damage, and potential compliance violations. The users of the customer account portal are impacted by this vulnerability. Specifically, any user who interacts with the email section of the portal may be tricked into clicking malicious links, leading to potential phishing attacks, credential theft, and exposure to other malicious activities. The organization hosting the portal could also be impacted by reputational damage and compliance violations.
Recommendation
It is recommended to implement proper input validation and output encoding to prevent HTML Injection. The application should sanitize user input by stripping or escaping HTML tags before rendering it on the page.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.5"
},
"package": {
"ecosystem": "Packagist",
"name": "froxlor/froxlor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48958"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-11T20:31:08Z",
"nvd_published_at": "2025-06-02T12:15:25Z",
"severity": "MODERATE"
},
"details": "### Summary\n_An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication._\n\n### Observation\n_It is observed that in the portal of the customer account, there is a functionality in the email section to create an email address that accepts user input. By intercepting the request and modifying the \"domain\" field with an HTML injection payload containing an anchor tag, the injected payload is reflected on an error page. When clicked, it redirects users to an external website, confirming the presence of an HTML Injection vulnerability._\n\n### PoC\n1. Navigate to the Email section in the Customer Account Portal and create a new email address.\n\n2. Enter any garbage value in the required field and intercept the request using Burp Suite.\n\n3. Locate the \"domain\" field in the intercepted request and replace its value with the following HTML Injection payload:\n\n\t`\u003ca href=\"\u0026#x68;\u0026#x74;\u0026#x74;\u0026#x70;\u0026#x73;\u0026#x3a;\u0026#x2f;\u0026#x2f;\u0026#x77;\u0026#x77;\u0026#x77;\u0026#x2e;\u0026#x67;\u0026#x6f;\u0026#x6f;\u0026#x67;\u0026#x6c;\u0026#x65;\u0026#x2e;\u0026#x63;\u0026#x6f;\u0026#x6d;\"\u003eCLiCK\u003c/a\u003e`\n\n4. Forward the modified request and observe that the injected payload is reflected on an error page.\n\n5. Click on the displayed \"CLiCK\" link to verify that it redirects to `https://www.google.com`, confirming the presence of HTML [Injection.]([url]([froxlor_HTML-INJECTION.mp4.zip](https://github.com/user-attachments/files/18311429/froxlor_HTML-INJECTION.mp4.zip)))\n\n### Impact\n_An attacker can exploit this HTML Injection vulnerability to manipulate the portal\u2019s content, conduct phishing attacks, deface the application, or trick users into clicking malicious links. This can lead to credential theft, malware distribution, reputational damage, and potential compliance violations.\nThe users of the customer account portal are impacted by this vulnerability. Specifically, any user who interacts with the email section of the portal may be tricked into clicking malicious links, leading to potential phishing attacks, credential theft, and exposure to other malicious activities. The organization hosting the portal could also be impacted by reputational damage and compliance violations._\n\n### Recommendation\n_It is recommended to implement proper input validation and output encoding to prevent HTML Injection. The application should sanitize user input by stripping or escaping HTML tags before rendering it on the page._",
"id": "GHSA-26xq-m8xw-6373",
"modified": "2025-06-03T17:35:31Z",
"published": "2025-03-11T20:31:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48958"
},
{
"type": "WEB",
"url": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a"
},
{
"type": "PACKAGE",
"url": "https://github.com/froxlor/Froxlor"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Froxlor has an HTML Injection Vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.