RXSS on unsubscribe feature (affiliates.kromtech.com)
Low
C
Clario
Submitted None
Team Summary
Official summary from Clario
### Summary Reflected Cross-Site Scripting attack on affiliates.kromtech.com domain. The problem in email parameter in /unsubscribe script that takes GET parameter and pass value of this parameter directly to HTML code of the page. ### Step to reproduce `https://affiliates.kromtech.com/unsubscribe?email=kolabro</script><script>alert(document.domain)</script>`
Actions:
Reported by
sec0ndw0lf
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$75.00
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected