View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006009SOGoWeb Preferencespublic2024-08-20 00:032024-09-12 06:58
Reporterjulian123 Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.10.0 
Summary0006009: Stored-XSS in Vacation Auto-Reply
Description

A cross-site scripting payload can be stored in the Auto-Reply Subject and Auto-reply message fields of the vacation auto-reply, leading to execution when the user navigates to their inbox.

Steps To Reproduce
  1. Authenticate to the application.
  2. Navigate to Preferences > Mail > Vacation
  3. Select Enable Vacatiopn Auto Reply
  4. In the Auto-Reply Subject field add the following payload
    //</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(1)//>\\x3e
    1. In the Auto-Reply message field add the following payload
      //</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert(2)//>\\x3e
    2. Select Save
    3. Navigate to the user's inbox and observe the XSS payloads execute.
Tagssignature

Relationships

Relationship GraphDependency Graph
related to 0006010 closedqhivert Stored-XSS in Reply to Email 
related to 0006004 assignedqhivert Stored-XSS in Contacts Category Fields 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-08-20 00:03 julian123 New Issue
2024-08-20 00:03 julian123 Tag Attached: signature
2024-08-20 14:07 qhivert Relationship added related to 0006010
2024-08-20 14:08 qhivert Relationship added related to 0006004
2024-09-12 06:58 qhivert Assigned To => qhivert
2024-09-12 06:58 qhivert Status new => closed
2024-09-12 06:58 qhivert Resolution open => duplicate