Hope I will get Some Awards or a Bounty for Reporting this. Vulnerability: HTML Injection HTML Injection is also known as vulnerability that inject and execute HTML code in the application. Impact: Support agent are not technical guys, consider attacker send this to message to agent and Agent thought that he need to login again then he will click the link in message and go to malicious website created by Attacker and login there. Then attacker will have Agent's credentials and he can use those credentials to login to support.tejimandi.com and get the information of the all subscriber in Teji Mandi app, as well as their portfolio. Steal the credentials of an agent. Redirect the agents to malicious sites. Content spoofing and web interface defacement. Solutions offered and implemented by a vendor: Sanitize input given by the customer as well as agents in the chatbox. Disable hyperlinks in the chatbox. Allow only plain texts in the chatbox. You can use the below links to understand it better https://medium.com/@dr.spitfire/html-injection-cve-2019-13975-a33aa8ad4d11 https://www.imperva.com/learn/application-security/html-injection/ https://www.acunetix.com/vulnerabilities/web/html-injection/ You can reach out to me on Email : aakashrathee69@gmail.com Phone: 7014926363
