CVE-2021–43574
Nov 15, 2021
Reflected XSS on sites using Atmail hosting
Discovered by : Ronit Bhatt
Vulnerable Version: Atmail 6.5.0
Vendor Homepage: https://help.atmail.com/hc/en-us/sections/115003283988
Bug Description:
Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter.
Steps To Reproduce:
- Visit the login page of the site using atmail hosting.
2. Now append the “format” parameter as shown in the below screenshot and hit enter.
3. BOOM! Your Reflected XSS will be triggered :D
Hope you like the blog and find some XSS along with some $$$$ !.
LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/
Thank you
Ronit Bhatt