Low · CVSS 2.5HTML Injection (CWE-79)
HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger
Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3556892 by zorixu
Summary
The DAST trial request form at https://portswigger.net/burp/dast/trial is vulnerable to HTML injection through the "First Name" field. User-supplied input is not properly sanitized before being inserted into confirmation emails, allowing attackers to inject arbitrary HTML content that gets rendered in the victim's email client. This vulnerability can be exploited to conduct sophisticated phishing attacks that appear to originate from PortSwigger's legitimate email infrastructure.