Dependency Graph

View IssueRelationship GraphHorizontalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006009SOGoWeb Preferencespublic2024-08-20 00:032024-09-12 06:58
Reporterjulian123 Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.10.0 
Summary0006009: Stored-XSS in Vacation Auto-Reply
Description

A cross-site scripting payload can be stored in the Auto-Reply Subject and Auto-reply message fields of the vacation auto-reply, leading to execution when the user navigates to their inbox.

Steps To Reproduce
  1. Authenticate to the application.
  2. Navigate to Preferences > Mail > Vacation
  3. Select Enable Vacatiopn Auto Reply
  4. In the Auto-Reply Subject field add the following payload
    //</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1)//>\\x3e
    1. In the Auto-Reply message field add the following payload
      //</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(2)//>\\x3e
    2. Select Save
    3. Navigate to the user's inbox and observe the XSS payloads execute.
Tagssignature

Relationships

Relationship GraphDependency Graph
related to 0006010 closedqhivert Stored-XSS in Reply to Email 
related to 0006004 resolvedqhivert Stored-XSS in Contacts Category Fields 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-08-20 00:03 julian123 New Issue
2024-08-20 00:03 julian123 Tag Attached: signature
2024-08-20 14:07 qhivert Relationship added related to 0006010
2024-08-20 14:08 qhivert Relationship added related to 0006004
2024-09-12 06:58 qhivert Assigned To => qhivert
2024-09-12 06:58 qhivert Status new => closed
2024-09-12 06:58 qhivert Resolution open => duplicate