Lost and Found Information System v1.0 — HTML Injection — CVE-2023–3017

Observation and Introduction:

The application Lost and Found Information System v1.0 is vulnerable to HTML Injection which leads to execute HTML payloads. VULDB assigned a CVE-2023–3017. Due to improper checks on user input an attacker can inject any payload which may be escalate to perform further attacks like defacing the site or redirecting the user to other sites.

Steps to re-produce:

1. Go to Users and click on Create New to create user. Enter the below payloads.

POC 1

2. Saving the details will result in executing our payloads.

Now we can notice that the input Pandey blue in color. Also, we can click on it.

We are redirected to other website.

Impact:

A compromised web application may provide other attack surface to the malicious user.

Recommendation:

1. Use Content-Security-Policy to mitigate any malicious input
2. Any user input field should be sanitized before processing.
3. Use while listing or use regex as per your requirement. Eg: If user need to fill First Name and Last Name then use only Alphabets in regex.

The vulnerability has been assigned: CVE-2023–3017