View Issue Details

IDProjectCategoryView StatusLast Update
0003718SOGoWeb Calendarpublic2016-07-04 14:48
Reporterfgrunow Assigned Tofrancis  
Status resolvedResolutionfixed 
Product Version3.0.2 
Target VersionFixed in Version3.1.3 
Summary0003718: Persistent Cross-Site Scripting in calendar

There is a persistent Cross-Site Scripting (XSS) in the calendar of the SOGo Web UI. When creating a calendar entry containing script code and viewing the raw entry in the Web UI the script code gets executed.

Steps To Reproduce

1) Create a calendar entry like the one attached in the screenshot below. I used thunderbird for this, XSS might also trigger if you do this in SOGo diretly. Did not try.

2) View the entry in SOGo. Click on "View Raw Source".

3) JavaScript payload will be executed in the browser.

Additional Information

Vulnerable fields:
1) Description
2) Location
3) URL
4) Title

This seems to be a DOM-based XSS. As SOGo is doing a pretty good job in encoding malicious data in many other places I guess you know how to fix this.

For further information:

TagsNo tags attached.


Related Changesets

sogo: master 64ce3c9c

2016-06-08 16:06:58


Details Diff
Escape HTML in raw source of events and tasks

Fixes 0003718
Affected Issues
mod - NEWS Diff File
mod - UI/Scheduler/UIxComponentEditor.m Diff File
mod - UI/WebServerResources/js/Scheduler/ComponentController.js Diff File

Issue History

Date Modified Username Field Change
2016-06-07 08:34 fgrunow New Issue
2016-06-07 08:34 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_trigger_fg.png
2016-06-07 08:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw1_fg.png
2016-06-07 08:35 fgrunow File Added: persistent_xss_sogo_calendar_viewraw_fg.png
2016-06-08 16:08 francis Changeset attached => sogo master 64ce3c9c
2016-06-08 16:08 francis Assigned To => francis
2016-06-08 16:08 francis Resolution open => fixed
2016-06-08 16:09 francis Status new => resolved
2016-06-08 16:09 francis Fixed in Version => 3.1.3
2016-07-04 14:48 ludovic View Status private => public