Headline
CVE-2022-4720: Hyperlink injection through access token name in rdiffweb
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.
Description
Hyperlink Injection it’s when attacker injecting a malicious link when sending an email invitation. Hyperlink injection in the email can lead to phishing via email directly to users.
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/tokens
2) Create a new access token with name "evil.com"
3) You will see that an email will trigger on the registered email with the hyperlink injected successfully
4) Click on the hyperlink and you will be redirected to a malicious website
# Impact
This vulnerability allows an attacker to redirect a victim to malicious websiteRelated news
GHSA-h5wp-jrqc-cwwx: rdiffweb vulnerable to Open Redirect
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.