You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Account name text fields have no validation and any characters can be used to save the name. This can be used for malicious purposes. a complete malicious link can be saved in this textboxes and when you send users an invitation to join new relic account, this names will render as valid link in email clients.for eg if i save account name as some porn site, it will render as link in email client.since the email is from trusted domain like new relic, victim will definitely want to click on the link which will end up him visiting some porn site.See the attached screenshot. For eg purpose i used http://google.com/ as name.
Reported by Kunal Mhaske [email protected]
Vulnerability Name: No validation on account names
Vulnerable URL: https://ctl.ptah.sh/user/profile
Description:
Account name text fields have no validation and any characters can be used to save the name. This can be used for malicious purposes. a complete malicious link can be saved in this textboxes and when you send users an invitation to join new relic account, this names will render as valid link in email clients.for eg if i save account name as some porn site, it will render as link in email client.since the email is from trusted domain like new relic, victim will definitely want to click on the link which will end up him visiting some porn site.See the attached screenshot. For eg purpose i used http://google.com/ as name.
Steps:
Impact:
No validation on account names
The text was updated successfully, but these errors were encountered: