0006158: Cross-Site Scripting (XSS) - Stored - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0006158	SOGo	Web Address Book	public	2025-10-31 14:48	2025-12-16 09:27

Reporter	vrubim	Assigned To	qhivert
Priority	high	Severity	crash	Reproducibility	always
Status	feedback	Resolution	open
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	5.12.4

Summary	0006158: Cross-Site Scripting (XSS) - Stored
Description	Stored Cross-Site Scripting occurs when an application receives data from an untrusted source and then includes that data in its subsequent HTTP responses in an insecure manner It is possible to set other undefined values in the category name, and to add XSS scripts. Endpoint: /Preferences#!/addressbooks
Steps To Reproduce	see screenshots.
Tags	Security

vrubim 2025-10-31 14:58 reporter ~0018365	screenshots addeds 4.png (39,228 bytes) 4.png (39,228 bytes) 3.png (122,891 bytes) 3.png (122,891 bytes) 2.png (41,422 bytes) 2.png (41,422 bytes) 1.png (114,466 bytes) 1.png (114,466 bytes)

qhivert 2025-12-16 09:27 administrator ~0018391	Hello, I've made a fix for events, tasks and contacts categories -> https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1 available with next nigthly

Date Modified	Username	Field	Change
2025-10-31 14:48	vrubim	New Issue
2025-10-31 14:48	vrubim	Tag Attached: Security
2025-10-31 14:58	vrubim	Note Added: 0018365
2025-10-31 14:58	vrubim	File Added: 4.png
2025-10-31 14:58	vrubim	File Added: 3.png
2025-10-31 14:58	vrubim	File Added: 2.png
2025-10-31 14:58	vrubim	File Added: 1.png
2025-12-16 09:27	qhivert	Note Added: 0018391
2025-12-16 09:27	qhivert	Assigned To	=> qhivert
2025-12-16 09:27	qhivert	Status	new => feedback