CVE-2021–43574

Reflected XSS on sites using Atmail hosting

Discovered by : Ronit Bhatt

Vulnerable Version: Atmail 6.5.0

Vendor Homepage: https://help.atmail.com/hc/en-us/sections/115003283988

Bug Description:

Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “format” parameter.

Steps To Reproduce:

1. Visit the login page of the site using atmail hosting.

2. Now append the “format” parameter as shown in the below screenshot and hit enter.

3. BOOM! Your Reflected XSS will be triggered :D

Hope you like the blog and find some XSS along with some $$$$ !.

LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/

Thank you

Ronit Bhatt