Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upXSS Issues #3875
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Milestone changed by @alecpl on 15 Aug 2012 08:13 UTC later => 0.8.1 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Status changed by @alecpl on 15 Aug 2012 09:24 UTC new => closed |
rcubetrac
closed this
Aug 15, 2012
rcubetrac
added
bug
C: Security
P1
labels
Mar 20, 2016
rcubetrac
added this to the 0.8.1 milestone
Mar 20, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rcubetrac commentedAug 14, 2012
Reported by NightRanger on 14 Aug 2012 19:55 UTC as Trac ticket #1488613
Send an html formatted email to the victim with the following html code: <a href=javascript:alert("XSS")>Click Me.
You can do this also from the WYSIWYG editor by creating a new link and in the url insert: javascript:alert("XSS").
The insert link function doesn't validates URL properly.
once the user clicks on the url the XSS should be triggered.
In order to trigger this XSS you should insert the payload: "><img src='1.jpg'onerror=javascript:alert("XSS")> into your signature
Settings -> Identities -> Your Identitiy -> Signature
Now create a new mail, XSS Should be triggered.
Keywords: XSS
Migrated-From: http://trac.roundcube.net/ticket/1488613