View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006158SOGoWeb Address Bookpublic2025-10-31 14:482026-01-14 16:19
Reportervrubim Assigned Toqhivert  
PriorityhighSeveritycrashReproducibilityalways
Status feedbackResolutionopen 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.12.4 
Summary0006158: Cross-Site Scripting (XSS) - Stored
Description

Stored Cross-Site Scripting occurs when an application receives data from an untrusted source and then includes that data in its subsequent HTTP responses in an insecure manner

It is possible to set other undefined values ​​in the category name, and to add XSS scripts.

Endpoint: /Preferences#!/addressbooks

Steps To Reproduce

see screenshots.

TagsSecurity

Activities

vrubim

vrubim

2025-10-31 14:58

reporter   ~0018365

screenshots addeds

4.png (39,228 bytes)   
4.png (39,228 bytes)   
3.png (122,891 bytes)   
3.png (122,891 bytes)   
2.png (41,422 bytes)   
2.png (41,422 bytes)   
1.png (114,466 bytes)   
1.png (114,466 bytes)   
qhivert

qhivert

2025-12-16 09:27

administrator   ~0018391

Hello,
I've made a fix for events, tasks and contacts categories -> https://github.com/Alinto/sogo/commit/e9b3f2a43d7557e8416f6749df4ab4f9128af2d1
available with next nigthly
vrubim

vrubim

2026-01-14 15:47

reporter   ~0018399

qhivert what means "next nightly" ? I can't see any new release version on github "releases or tags" .
qhivert

qhivert

2026-01-14 16:19

administrator   ~0018400

This is the version that is build every night witht the latests commit in our repo. So the fix is already in it.
Go there -> https://www.sogo.nu/download.html
At the bottom check Dvelopmen (nighlyt) and your os to get the repo link

Issue History

Date Modified Username Field Change
2025-10-31 14:48 vrubim New Issue
2025-10-31 14:48 vrubim Tag Attached: Security
2025-10-31 14:58 vrubim Note Added: 0018365
2025-10-31 14:58 vrubim File Added: 4.png
2025-10-31 14:58 vrubim File Added: 3.png
2025-10-31 14:58 vrubim File Added: 2.png
2025-10-31 14:58 vrubim File Added: 1.png
2025-12-16 09:27 qhivert Note Added: 0018391
2025-12-16 09:27 qhivert Assigned To => qhivert
2025-12-16 09:27 qhivert Status new => feedback
2026-01-14 15:47 vrubim Note Added: 0018399
2026-01-14 15:47 vrubim Status feedback => assigned
2026-01-14 16:19 qhivert Note Added: 0018400
2026-01-14 16:19 qhivert Status assigned => feedback