We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reported by sroesemann on 30 May 2015 11:30 UTC as Trac ticket #1490417
The XSS-vulnerability can be triggered by appending malicious script code to the _mbox-parameter. The following example will pop an alert box:
https://{YOURSERVER}/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert(%22Roundcube+v1.1.1+XSS%22)%3C%2Fscript%3E
Attackers could use this vulnerability to steal cookies or extract email-content.
Used browsers: Mozilla Firefox v. 38.0.1, Apple Safari 8.0.6 on Mac OSX 10.10.
Keywords: XSS, Vulnerability Migrated-From: http://trac.roundcube.net/ticket/1490417
The text was updated successfully, but these errors were encountered:
Comment by @alecpl on 30 May 2015 14:29 UTC
Confirmed. There's no alert in Roundcube 1.0.
Sorry, something went wrong.
Milestone changed by @alecpl on 30 May 2015 14:29 UTC
later => 1.1.2
Comment by @alecpl on 30 May 2015 15:39 UTC
Fixed in b782815.
Status changed by @alecpl on 30 May 2015 15:39 UTC
new => closed
No branches or pull requests
Reported by sroesemann on 30 May 2015 11:30 UTC as Trac ticket #1490417
The XSS-vulnerability can be triggered by appending malicious script code to the _mbox-parameter. The following example will pop an alert box:
https://{YOURSERVER}/?_task=mail&_mbox=INBOX%22%3E%3Cscript%3Ealert(%22Roundcube+v1.1.1+XSS%22)%3C%2Fscript%3E
Attackers could use this vulnerability to steal cookies or extract email-content.
Used browsers: Mozilla Firefox v. 38.0.1, Apple Safari 8.0.6 on Mac OSX 10.10.
Keywords: XSS, Vulnerability
Migrated-From: http://trac.roundcube.net/ticket/1490417
The text was updated successfully, but these errors were encountered: