Opened 4 years ago
Closed 4 years ago
#1485596 closed Bugs (fixed)
XSS found in address book import
| Reported by: | baska | Owned by: | |
|---|---|---|---|
| Priority: | 1 - Highest | Milestone: | 0.2-stable |
| Component: | Security | Version: | 0.2-beta |
| Severity: | critical | Keywords: | |
| Cc: |
Description
Please import following vCard file text
- Save following strings into text file
- Than import the file into address book
- Must be check Replace the entire address book
BEGIN:VCARD
VERSION:2.1
N:Baasandorj;Namnansuren
FN:<script>alert(document.cookie)</script>
ORG:... Co.
TITLE:Auditor
TEL;WORK;VOICE:(111) 555-1212
TEL;HOME;VOICE:(404) 555-1212
ADR;WORK:;;100 Waters Edge;Baytown;LA;30314;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:100 Waters Edge=0D=0ABaytown, LA 30314=0D=0AUnited States of America
ADR;HOME:;;42 Plantation St.;Baytown;LA;30314;United States of America
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:42 Plantation St.=0D=0ABaytown, LA 30314=0D=0AUnited States of America
EMAIL;PREF;INTERNET: baasandorj@…
REV:20080424T195243Z
END:VCARD
Attachments (1)
Change History (5)
Changed 4 years ago by baska
comment:1 Changed 4 years ago by alec
- Component changed from Addressbook to Security issue
- Milestone changed from later to 0.2-stable
comment:2 Changed 4 years ago by alec
- Priority changed from 5 to 1 - Highest
comment:3 Changed 4 years ago by jmlsteele
comment:4 Changed 4 years ago by alec
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Vcard file with the attack string