Skip to content

Persistent Cross Site Scripting in rcfilters plugin #6437

Closed
@fi0n4

Description

@fi0n4

Hi. when using rcfilters plugin version 2.1.6, two parameters "_whatfilter" and "_messages" do not sanitize user input. therefore you can inject javascript code in them. since it's a self XSS, it may not have any impact security. a user can inject js and html code in his/her own account filters list.

roundcube

tested on Roundcube Webmail version 1.0.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions