View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update | 
|---|---|---|---|---|---|
| 0003718 | SOGo | Web Calendar | public | 2016-06-07 12:34 | 2016-07-04 18:48 | 
| Reporter | fgrunow | Assigned To | francis | ||
| Priority | normal | Severity | minor | Reproducibility | always | 
| Status | resolved | Resolution | fixed | ||
| Product Version | 3.0.2 | ||||
| Fixed in Version | 3.1.3 | ||||
| Summary | 0003718: Persistent Cross-Site Scripting in calendar | ||||
| Description | There is a persistent Cross-Site Scripting (XSS) in the calendar of the SOGo Web UI. When creating a calendar entry containing script code and viewing the raw entry in the Web UI the script code gets executed. | ||||
| Steps To Reproduce | 1) Create a calendar entry like the one attached in the screenshot below. I used thunderbird for this, XSS might also trigger if you do this in SOGo diretly. Did not try. 2) View the entry in SOGo. Click on "View Raw Source". 3) JavaScript payload will be executed in the browser. | ||||
| Additional Information | Vulnerable fields: This seems to be a DOM-based XSS. As SOGo is doing a pretty good job in encoding malicious data in many other places I guess you know how to fix this. For further information: | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change | 
|---|---|---|---|
| 2016-06-07 12:34 | fgrunow | New Issue | |
| 2016-06-07 12:34 | fgrunow | File Added: persistent_xss_sogo_calendar_viewraw_trigger_fg.png | |
| 2016-06-07 12:35 | fgrunow | File Added: persistent_xss_sogo_calendar_viewraw1_fg.png | |
| 2016-06-07 12:35 | fgrunow | File Added: persistent_xss_sogo_calendar_viewraw_fg.png | |
| 2016-06-08 20:08 | francis | Changeset attached | => sogo master 64ce3c9c | 
| 2016-06-08 20:08 | francis | Assigned To | => francis | 
| 2016-06-08 20:08 | francis | Resolution | open => fixed | 
| 2016-06-08 20:09 | francis | Status | new => resolved | 
| 2016-06-08 20:09 | francis | Fixed in Version | => 3.1.3 | 
| 2016-07-04 18:48 | ludovic | View Status | private => public | 

