CVE-2022–30776
Reflected XSS on sites using Atmail hosting
Discovered by : Ronit Bhatt
Vulnerable Version: Atmail 6.5.0
Vendor Homepage: https://help.atmail.com/hc/en-us/sections/115003283988
Bug Description:
Cross-site scripting (XSS) vulnerability in sites using outdated Atmail hosting version 6.5.0 allows remote attackers to inject arbitrary web script or HTML via the “error” parameter.
Steps To Reproduce:
- Visit the login page of the site using atmail hosting.
2. Now append the “error” parameter with xss payload as shown in the below screenshot and hit enter i.e /atmail/index.php/admin/index/?error=1<ScRiPt >alert(%27XSS%27)</ScRiPt>
3. BOOM! Your Reflected XSS will be triggered :D
Hope you like the blog and find some XSS along with some $$$$ 😎.
LinkedIn: https://www.linkedin.com/in/ronit-bhatt-653a7115b/
Thank you
Ronit Bhatt