View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002598||SOGo||Web Calendar||public||2014-02-04 11:09||2016-07-04 14:48|
|Reporter||Jens Erat||Assigned To||francis|
|Target Version||2.2.0||Fixed in Version||2.2.0|
|Summary||0002598: Script injection in calendar title|
The calendar title is vulnerable to script injections.
|Steps To Reproduce|
Sometimes, the alert box also shows up in the calendar overview.
|Tags||No tags attached.|
What browser do you use?
We were able to reproduce the issue in Chrome/Chromium, Safari and Firefox, most current releases each.
I can't reproduce the problem.
It still gets executed, both when looking at the calendar overview and the appointment details.
I can confirm the bug being fixed for appointments, but a similar problem seems to exist with contacts and the bugfix introduced some encoding problems.
Example of the encoding issues (string seems to be HTML-encoded twice):
How to reproduce the code injection with contacts:
Encoding problems also apply to reminder alerts.
More fixes :
Added HTML escaping in CSS dialogs.
|2014-02-04 11:09||Jens Erat||New Issue|
|2014-02-04 11:23||francis||Note Added: 0006487|
|2014-02-04 13:55||Jens Erat||Note Added: 0006493|
|2014-02-05 13:21||francis||Note Added: 0006502|
|2014-02-05 13:32||Jens Erat||Note Added: 0006503|
|2014-02-05 13:47||francis||Target Version||=> 2.2.0|
|2014-02-05 16:11||francis||Note Added: 0006505|
|2014-02-05 16:11||francis||Status||new => resolved|
|2014-02-05 16:11||francis||Fixed in Version||=> 2.2.0|
|2014-02-05 16:11||francis||Resolution||open => fixed|
|2014-02-05 16:11||francis||Assigned To||=> francis|
|2014-02-07 11:49||Jens Erat||Note Added: 0006532|
|2014-02-07 11:49||Jens Erat||Status||resolved => feedback|
|2014-02-07 11:49||Jens Erat||Resolution||fixed => reopened|
|2014-02-07 12:00||Jens Erat||Note Added: 0006533|
|2014-02-07 12:00||Jens Erat||Status||feedback => assigned|
|2014-02-07 15:55||francis||Note Added: 0006535|
|2014-02-07 20:32||francis||Note Added: 0006536|
|2014-02-07 20:32||francis||Status||assigned => resolved|
|2014-02-07 20:32||francis||Resolution||reopened => fixed|
|2016-07-04 14:48||ludovic||View Status||private => public|