Closed
Description
Hi. when using rcfilters plugin version 2.1.6, two parameters "_whatfilter" and "_messages" do not sanitize user input. therefore you can inject javascript code in them. since it's a self XSS, it may not have any impact security. a user can inject js and html code in his/her own account filters list.
tested on Roundcube Webmail version 1.0.5
Metadata
Metadata
Assignees
Labels
No labels
