TrueConf Server HTML Injection Vulnerability in Conference Description Field

A HTML injection vulnerability has been identified in TrueConf Server version 5.5.2.10813. The issue arises in the conference description field, where the application fails to properly sanitize user input. This vulnerability allows an attacker to inject arbitrary HTML, which is executed when a victim views the Conference Info page. The injected HTML can manipulate the user interface and redirect clicks to an attacker-controlled website, facilitating phishing attacks.

Impact

Exploitation of this vulnerability allows for user interface manipulation and phishing attacks by injecting HTML that overlays the page and redirects clicks to a malicious site.

Reproduction

To reproduce this vulnerability, inject a malicious `<a>` tag into the conference description field using the Create or Edit Conference functionality. Once the conference is saved and the Conference Info page is accessed, the injected link will be invisible but will overlay the entire page, redirecting clicks to the specified URL.

Remediation

Users are advised to validate input in the conference description field and disallow HTML tags before the content is rendered in the user interface.