SOGo | BTS

Dependency Graph View Issue ] Relation Graph ] Vertical ]
related to child of duplicate of


View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003718SOGoWeb Calendarpublic2016-06-07 08:342016-07-04 14:48
Reporterfgrunow 
Assigned Tofrancis 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version3.0.2 
Target VersionFixed in Version3.1.3 
Summary0003718: Persistent Cross-Site Scripting in calendar
DescriptionThere is a persistent Cross-Site Scripting (XSS) in the calendar of the SOGo Web UI. When creating a calendar entry containing script code and viewing the raw entry in the Web UI the script code gets executed.
Steps To Reproduce1) Create a calendar entry like the one attached in the screenshot below. I used thunderbird for this, XSS might also trigger if you do this in SOGo diretly. Did not try.

2) View the entry in SOGo. Click on "View Raw Source".

3) JavaScript payload will be executed in the browser.
Additional InformationVulnerable fields:
1) Description
2) Location
3) URL
4) Title

This seems to be a DOM-based XSS. As SOGo is doing a pretty good job in encoding malicious data in many other places I guess you know how to fix this.

For further information:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet [^]
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet [^]
TagsNo tags attached.
Attached Filespng file icon persistent_xss_sogo_calendar_viewraw_trigger_fg.png [^] (67,413 bytes) 2016-06-07 08:34


png file icon persistent_xss_sogo_calendar_viewraw1_fg.png [^] (43,980 bytes) 2016-06-07 08:35


png file icon persistent_xss_sogo_calendar_viewraw_fg.png [^] (106,998 bytes) 2016-06-07 08:35

-  Notes
There are no notes attached to this issue.

- Related Changesets
sogo: master 64ce3c9c
Timestamp: 2016-06-08 16:06:58
Author: francis
Details ] Diff ]
Escape HTML in raw source of events and tasks

Fixes 0003718
mod - NEWS Diff ] File ]
mod - UI/Scheduler/UIxComponentEditor.m Diff ] File ]
mod - UI/WebServerResources/js/Scheduler/ComponentController.js Diff ] File ]

- Issue History
Date Modified Username Field Change
2016-06-07 08:34 fgrunow New Issue
2016-06-07 08:34 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_trigger_fg.png
2016-06-07 08:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw1_fg.png
2016-06-07 08:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_fg.png
2016-06-08 16:08 francis Changeset attached => sogo master 64ce3c9c
2016-06-08 16:08 francis Assigned To => francis
2016-06-08 16:08 francis Resolution open => fixed
2016-06-08 16:09 francis Status new => resolved
2016-06-08 16:09 francis Fixed in Version => 3.1.3
2016-07-04 14:48 ludovic View Status private => public


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker