SOGo - BTS - SOGo
View Issue Details
0003718SOGoWeb Calendarpublic2016-06-07 08:342016-07-04 14:48
fgrunow 
francis 
normalminoralways
resolvedfixed 
3.0.2 
3.1.3 
0003718: Persistent Cross-Site Scripting in calendar
There is a persistent Cross-Site Scripting (XSS) in the calendar of the SOGo Web UI. When creating a calendar entry containing script code and viewing the raw entry in the Web UI the script code gets executed.
1) Create a calendar entry like the one attached in the screenshot below. I used thunderbird for this, XSS might also trigger if you do this in SOGo diretly. Did not try.

2) View the entry in SOGo. Click on "View Raw Source".

3) JavaScript payload will be executed in the browser.
Vulnerable fields:
1) Description
2) Location
3) URL
4) Title

This seems to be a DOM-based XSS. As SOGo is doing a pretty good job in encoding malicious data in many other places I guess you know how to fix this.

For further information:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet [^]
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet [^]
No tags attached.
png persistent_xss_sogo_calendar_viewraw_trigger_fg.png (67,413) 2016-06-07 08:34
https://sogo.nu/bugs/file_download.php?file_id=1582&type=bug
png

png persistent_xss_sogo_calendar_viewraw1_fg.png (43,980) 2016-06-07 08:35
https://sogo.nu/bugs/file_download.php?file_id=1583&type=bug
png

png persistent_xss_sogo_calendar_viewraw_fg.png (106,998) 2016-06-07 08:35
https://sogo.nu/bugs/file_download.php?file_id=1584&type=bug
png
Issue History
2016-06-07 08:34fgrunowNew Issue
2016-06-07 08:34fgrunowFile Added: persistent_xss_sogo_calendar_viewraw_trigger_fg.png
2016-06-07 08:35fgrunowFile Added: persistent_xss_sogo_calendar_viewraw1_fg.png
2016-06-07 08:35fgrunowFile Added: persistent_xss_sogo_calendar_viewraw_fg.png
2016-06-08 16:08francisChangeset attached => sogo master 64ce3c9c
2016-06-08 16:08francisAssigned To => francis
2016-06-08 16:08francisResolutionopen => fixed
2016-06-08 16:09francisStatusnew => resolved
2016-06-08 16:09francisFixed in Version => 3.1.3
2016-07-04 14:48ludovicView Statusprivate => public

There are no notes attached to this issue.