Content Spoofing or Text Injection (404 Error Page Injection on www.currencycloud.com)

[RThejani]

Issue:
https://hackerone.com/reports/2098102

Vulnerability Description:
While conducting a security assessment of the website, on the domain www.currencycloud.com I came across a vulnerability that enables an attacker to insert any type of content, into the URLs of the 404 error pages. This vulnerability can be exploited to carry out content spoofing or text injection attacks, which could result in spreading information or attempting phishing activities.

Proof of Concept (PoC):
-https://www.currencycloud.com/?post_type=case_studies&p=12415/
-https://www.currencycloud.com/product/api/
-https://www.currencycloud.com/it/careers/
-https://developer.currencycloud.com/sdks/
-https://www.currencycloud.com/de/company/news/type/latest-news-de/
-https://www.currencycloud.com/product/currencycloud-direct/
-https://www.currencycloud.com/es-es/company/resources/page/2/

Upon visiting this URL, the 404 error page will display with manipulated/text Injected URL

Steps to Reproduce:
Open a web browser and navigate to the www.currencycloud.com website.
Enter an arbitrary, non-existent URL in the address bar (e.g., https://www.currencycloud.com/product/api/ ).
Observe the 404 error page displayed by the website.
Inject the desired content into the error page by appending a crafted payload to the URL (e.g., https://www.currencycloud.com/product/api/error?error=hello%20I%20am%20thekushidajyna).

Recommendation:
Input Validation: Implement strict input validation to ensure that user-supplied data is sanitized and does not contain any potentially harmful content.
Use of Frameworks/Libraries: Ensure that the website is built using secure coding practices and that up-to-date frameworks and libraries are used to prevent common security vulnerabilities.

The severity of the above vulnerability can be classified as "High" as per CVSS v3 Calculator.
-While the vulnerability allows for content spoofing or text injection, it does not directly result in immediate critical consequences like arbitrary code execution, data breaches, or complete system compromise.
-The impact of the vulnerability includes potential phishing attacks, user confusion, brand reputation damage, and SEO manipulation, which can still have significant consequences but are not as severe as high-risk vulnerabilities.
-However, the potential for misinformation, brand reputation damage, and user manipulation is serious enough to warrant attention and prompt remediation.

Impact
The content spoofing or text injection vulnerability can have several adverse effects on the website and its users, including but not limited to:
-Brand reputation damage: Attackers can exploit this vulnerability to display offensive or misleading content, tarnishing the reputation
-User confusion: By injecting arbitrary content, attackers can create confusion among users, leading them to believe the site has been compromised or is unreliable.
-Phishing attack: Malicious actors can inject fake login forms or other deceptive content on the error page to trick users into revealing sensitive information.
-SEO manipulation: By injecting links to malicious websites or SEO keywords, attackers can attempt to manipulate search engine rankings or redirect traffic to malicious destinations.