Xss in compose mail functionaility in modoboa/modoboa-webmail

Valid

Reported on

Feb 1st 2023

Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

  • Step1: login as normal user.
  • step2: click on webmail and click on compose.
  • step3: now enter "<svg/onload=alert(document.domain)"@demo.local, try this payload also "><img src=x onerror=alert(document.domain)>

Now the web page render the js and we can see the popup in the browser.

POC: https://drive.google.com/file/d/1epB5BJSRG_VkdmO7KQjAZbHeWxX9kxA_/view?usp=share_link

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

We are processing your report and will contact the modoboa/modoboa-webmail team within 24 hours. 2 months ago
Antoine Nguyen validated this vulnerability 2 months ago
r0b0t-0ne has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Antoine Nguyen
2 months ago

Maintainer

Here is the PR that fixes this issue: https://github.com/modoboa/modoboa-webmail/pull/242

r0b0t-0ne
2 months ago

Researcher

@admin can you please assign cve for this report.

Ben Harvie
a month ago

Admin

CVE assignment is in the hands of the maintainer, please refrain from tagging admins for this request. Thanks:)

Antoine Nguyen marked this as fixed in 1.7.1 with commit 599c93 a month ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability will not receive a CVE
Antoine Nguyen published this vulnerability a month ago
to join this conversation