XSS in Integration URL in linagora/twake

Valid

Reported on

Dec 14th 2022


Description

XSS vulnerability in integration URL that could execute javascript when clicking on the URL

Proof of Concept

  1. navigate to the panel dashboard
  2. add or edit integration and insert the URL of integration with this payload
javascript:alert(1)

POC:

https://drive.google.com/file/d/1jK0eBsnhCEhhuun8Xu7uKb1tCjuKnPEi/view?usp=sharing

https://drive.google.com/file/d/1c80JrArTMKGeKUW13Ny34OgZht8HSAnR/view?usp=sharing

Impact

Execute javascript on the victim browser

We are processing your report and will contact the linagora/twake team within 24 hours. 5 months ago
We have contacted a member of the linagora/twake team and are waiting to hear back 5 months ago
Romaric Mourgues modified the Severity from Low (3.5) to Medium (5.7) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Romaric Mourgues validated this vulnerability 5 months ago

Valid XSS attack, we'll sanitise the href fields.

reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Romaric
5 months ago

Maintainer


Will be fixed in this commit 61f4c0caf4ce61c839fb304a707972974daacae9

reza.duty
5 months ago

Researcher


Thanks, can you please request a cve id for this issue

Romaric Mourgues marked this as fixed in 2023.Q1.1200+ with commit 61f4c0 5 months ago
Romaric Mourgues has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 1st 2023
Ben Harvie published this vulnerability 4 months ago
belingem
4 months ago

hi,@Maintainer,I don't see a fix for this vulnerability on github up to now.And I don't think it's safe to announce this vulnerability when no fix has been released, I hope you could update this commit soon,thanks!

to join this conversation