XSS via _mbox-parameter in Roundcube v.1.1.1 #4837

rcubetrac · 2015-05-30T11:30:26Z

Reported by sroesemann on 30 May 2015 11:30 UTC as Trac ticket #1490417

The XSS-vulnerability can be triggered by appending malicious script code to the _mbox-parameter. The following example will pop an alert box:

https://{YOURSERVER}/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert(%22Roundcube+v1.1.1+XSS%22)%3C%2Fscript%3E

Attackers could use this vulnerability to steal cookies or extract email-content.

Used browsers: Mozilla Firefox v. 38.0.1, Apple Safari 8.0.6 on Mac OSX 10.10.

Keywords: XSS, Vulnerability
Migrated-From: http://trac.roundcube.net/ticket/1490417

rcubetrac · 2015-05-30T14:29:02Z

Comment by @alecpl on 30 May 2015 14:29 UTC

Confirmed. There's no alert in Roundcube 1.0.

rcubetrac · 2015-05-30T14:29:02Z

Milestone changed by @alecpl on 30 May 2015 14:29 UTC

later => 1.1.2

rcubetrac · 2015-05-30T15:39:58Z

Comment by @alecpl on 30 May 2015 15:39 UTC

Fixed in b782815.

rcubetrac · 2015-05-30T15:39:58Z

Status changed by @alecpl on 30 May 2015 15:39 UTC

new => closed

rcubetrac closed this May 30, 2015

rcubetrac added bug C: Security labels Mar 20, 2016

rcubetrac added this to the 1.1.2 milestone Mar 20, 2016

alecpl referenced this issue Jul 18, 2017

Reflected Cross-site Scripting vulnerability #5864

Closed

roundcube/roundcubemail