Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.
We can inject malicious payload in the Name field and When a user reset his/her password, the HTML injection will get executed
There’s an HTML injection vulnerability present inside emails sent from slack when the FIRST name on the account contains HTML. The HTML is stored in the backend database and when emails are sent (promotional, etc), the HTML is sent along with the rest of the email.
Example of Payload used in the name field:
https://abc.comxxxxxxxxxxxxxxxxxxxxeeeeeeeeeeaaaaaaaaaaaaa%20%22<b>hello</b><h1>hacker</h1><a href=’abc.com’>XXXX</a>abc.com
Steps-To-Reproduce:
1. Navigate to https://studio.softr.io/user/profile
2. Enter https://abc.comxxxxxxxxxxxxxxxxxxxxeeeeeeeeeeaaaaaaaaaaaaa%20%22<b>hello</b><h1>hacker</h1><a href=’abc.com’>XXXX</a>abc.com in the name field and click on update profile.
3. Sign out from the session.
4. Now navigate to https://studio.softr.io/auth/forgot-password and enter the registered email address.
5. Click on forgot password, you’ll get an email that will trigger your HTML injection.
Screenshot/POC :