XSS in Integration URL in linagora/twake
Valid
Reported on
Dec 14th 2022
Description
XSS vulnerability in integration URL that could execute javascript when clicking on the URL
Proof of Concept
- navigate to the panel dashboard
- add or edit integration and insert the URL of integration with this payload
javascript:alert(1)
POC:
https://drive.google.com/file/d/1jK0eBsnhCEhhuun8Xu7uKb1tCjuKnPEi/view?usp=sharing
https://drive.google.com/file/d/1c80JrArTMKGeKUW13Ny34OgZht8HSAnR/view?usp=sharing
Impact
Execute javascript on the victim browser
We are processing your report and will contact the
linagora/twake
team within 24 hours.
5 months ago
We have contacted a member of the
linagora/twake
team and are waiting to hear back
5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Valid XSS attack, we'll sanitise the href fields.
reza.duty
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Will be fixed in this commit 61f4c0caf4ce61c839fb304a707972974daacae9
Romaric Mourgues
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Jan 1st 2023
belingem
commented
4 months ago
hi,@Maintainer,I don't see a fix for this vulnerability on github up to now.And I don't think it's safe to announce this vulnerability when no fix has been released, I hope you could update this commit soon,thanks!
to join this conversation