Context Navigation

← Previous Ticket
Next Ticket →

#1488020 closed Bugs (duplicate)

Security issue: An attacker could use text email messages to make Internet Explorer users run scripts in the context of the webmail system

Reported by:	enriquerando	Owned by:
Priority:	3	Milestone:	later
Component:	User Interface	Version:	0.5.3
Severity:	major	Keywords:
Cc:

Description

Under certain circunstances, RoundCube doesn’t html encode output when showing text files. If the user uses a browser that processes files based on its contents, it could be leveraged by the attacker to inject scripts.

Please see the attached file for some examples and explanations.

Don't hesitate to contact me for more info.

Attachments (2)

RoundCube1.pdf (249.3 KB) - added by enriquerando 23 months ago.
RoundCube2.pdf (198.2 KB) - added by enriquerando 23 months ago.

Download all attachments as: .zip

Change History (3)

Changed 23 months ago by enriquerando

Attachment RoundCube1.pdf added

Changed 23 months ago by enriquerando

Attachment RoundCube2.pdf added

comment:1 Changed 23 months ago by alec

Resolution set to duplicate
Status changed from new to closed

Duplicate of #1487895.

Note: See TracTickets for help on using tickets.

Download in other formats:

Roundcube Webmail

Context Navigation

#1488020 closed Bugs (duplicate)

Security issue: An attacker could use text email messages to make Internet Explorer users run scripts in the context of the webmail system

Description

Attachments (2)

Change History (3)

Changed 23 months ago by enriquerando

Changed 23 months ago by enriquerando

comment:1 Changed 23 months ago by alec

Download in other formats: