P5: Server-Side Injection > Content Spoofing > Self Email HTML Injection
Attack scenario:
- A malicious actor authenticates onto their account
- Interacting with a feature within the application allows to send emails, of which the contents can be controlled and it has been identified that HTML can be injected into the contents of said email
- The malicious actor does not have the ability to control who this email is sent to, but instead the email is always sent to the authenticated account
This behaviour would be considered as a Self attack, as the injected email is only sent to the authenticated user and, in order to exploit, would require prior access to a victims account which at this stage would be pointless.
P5: Server-Side Injection > Content Spoofing > Self Email HTML Injection
Attack scenario:
This behaviour would be considered as a Self attack, as the injected email is only sent to the authenticated user and, in order to exploit, would require prior access to a victims account which at this stage would be pointless.