Opened 8 years ago
Closed 8 years ago
#1332084 closed Bugs (Fixed)
Javascript injection vulnerability
| Reported by: | nobody | Owned by: | roundcube |
|---|---|---|---|
| Priority: | 5 | Milestone: | |
| Component: | Security | Version: | 0.1-alpha |
| Severity: | Keywords: | ||
| Cc: |
Description
Hi, I played around with RoundCube webmail demo today and found out a javascript injection vulnerability in creation of new folders. The name of folder is not validated before being created which allows you to enter folder name as "<script >....</script>". After the folder creation, the entire site goes hay-wire. I understand that by entering junk folder names or flirting with stuff like SQL Injection or Javascript injections, a user might only be jeopardizing his inbox and mails but still I feel the application should validate user input and stop a user from comitting suicide.
Change History (1)
comment:1 Changed 8 years ago by roundcube
- Status changed from assigned to closed
Note: See
TracTickets for help on using
tickets.
