Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Persistent Cross Site Scripting in rcfilters plugin #6437

Closed
fi0n4 opened this issue Sep 9, 2018 · 2 comments
Closed

Persistent Cross Site Scripting in rcfilters plugin #6437

fi0n4 opened this issue Sep 9, 2018 · 2 comments

Comments

@fi0n4
Copy link

fi0n4 commented Sep 9, 2018

Hi. when using rcfilters plugin version 2.1.6, two parameters "_whatfilter" and "_messages" do not sanitize user input. therefore you can inject javascript code in them. since it's a self XSS, it may not have any impact security. a user can inject js and html code in his/her own account filters list.

roundcube

tested on Roundcube Webmail version 1.0.5

@alecpl
Copy link
Member

alecpl commented Sep 9, 2018

We do not support this external plugin, nor this old Roundcube version.

@alecpl alecpl closed this as completed Sep 9, 2018
@fi0n4
Copy link
Author

fi0n4 commented Sep 9, 2018

I see. though it seems like the plugin works on all versions of Roundcube.
https://plugins.roundcube.net/packages/eagle00789/rcfilters

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants