View Issue Details

IDProjectCategoryView StatusLast Update
0006004SOGoWeb Preferencespublic2024-10-08 12:27
Reporterjulian123 Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.10.0 
Fixed in Version5.11.1 
Summary0006004: Stored-XSS in Contacts Category Fields
Description

A cross-site scripting payload can be stored in the contacts category fields, leading to execution when the user navigates to their inbox.

Steps To Reproduce
  1. Authenticate to the SOGo application.
  2. Navigate to Preferences > Address Books
  3. Select Add Contact Category
  4. In the form field enter the following payload
    //</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1111)//>\x3e
  5. Select Save
  6. Navigate to the user's inbox and observe that the XSS payload is executed.
TagsNo tags attached.

Relationships

related to 0006009 closedqhivert Stored-XSS in Vacation Auto-Reply 
related to 0006008 closedqhivert Stored-XSS in Mail Filters Field 
related to 0006007 closedqhivert Stored-XSS in Mail Labels Field 
related to 0006006 closedqhivert Calendar Categories Stored-XSS 
related to 0006010 closedqhivert Stored-XSS in Reply to Email 

Activities

qhivert

qhivert

2024-08-20 09:42

administrator   ~0017812

Hello,
Thanks for reporting I will look into this and all the others issues you report.

julian123

julian123

2024-08-20 12:33

reporter   ~0017813

Thank you qhivert! Please let me know if you have any questions or would like screenshots.

qhivert

qhivert

2024-08-20 13:23

administrator   ~0017816

Just to be sure, in all your cases, it's the user itself or someone with the user access that "hacks" itself?

julian123

julian123

2024-08-20 13:32

reporter   ~0017817

Correct, it's a self-XSS. I understand that lowers the severity considerably as is reflected in my rating of the issue. However, it's possible a user could be lured into performing some of these actions if they are socially engineered or if their account is compromised. There may be other avenues of exploiting these which may become available in the future which I either did not discover or are not yet possible. I'd consider them to be low-severity vulnerabilities under the current conditions though, I could certainly score them each for you if that may help.

qhivert

qhivert

2024-08-20 14:23

administrator   ~0017820

What OS do you use, I've made a fix but I don't want to push it in the main branch yet. But I can build a package for you to test it.

julian123

julian123

2024-08-20 14:32

reporter   ~0017822

I'm running it in docker through Mailcow, not sure how to best approach testing it. What are your thoughts?

qhivert

qhivert

2024-09-12 06:58

administrator   ~0017873

Hello,
I've pushed the fix https://github.com/Alinto/sogo/commit/a7023bce1642ec1fd25fe68f0541407d78f321a0
It will be available in the next nightly. I don't have any idea how you could test that with mailcow though. I will let this issue open and close the others as this is the same problem/fix.

julian123

julian123

2024-09-16 10:21

reporter   ~0017886

Thank you Qhivert, I'll test this ASAP. I'd like to register CVEs for these findings if that's alright!

Issue History

Date Modified Username Field Change
2024-08-19 23:49 julian123 New Issue
2024-08-20 09:41 qhivert Assigned To => qhivert
2024-08-20 09:41 qhivert Status new => assigned
2024-08-20 09:42 qhivert Note Added: 0017812
2024-08-20 12:33 julian123 Note Added: 0017813
2024-08-20 13:23 qhivert Note Added: 0017816
2024-08-20 13:23 qhivert Status assigned => feedback
2024-08-20 13:32 julian123 Note Added: 0017817
2024-08-20 13:32 julian123 Status feedback => assigned
2024-08-20 14:08 qhivert Relationship added related to 0006010
2024-08-20 14:08 qhivert Relationship added related to 0006009
2024-08-20 14:08 qhivert Relationship added related to 0006008
2024-08-20 14:08 qhivert Relationship added related to 0006007
2024-08-20 14:08 qhivert Relationship added related to 0006006
2024-08-20 14:23 qhivert Note Added: 0017820
2024-08-20 14:23 qhivert Status assigned => feedback
2024-08-20 14:32 julian123 Note Added: 0017822
2024-08-20 14:32 julian123 Status feedback => assigned
2024-09-12 06:58 qhivert Note Added: 0017873
2024-09-12 06:58 qhivert Status assigned => feedback
2024-09-16 10:21 julian123 Note Added: 0017886
2024-09-16 10:21 julian123 Status feedback => assigned
2024-10-08 12:27 qhivert Status assigned => resolved
2024-10-08 12:27 qhivert Resolution open => fixed
2024-10-08 12:27 qhivert Fixed in Version => 5.11.1