Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3594137 by aikido_security
The compose attachments preview endpoint renders user-uploaded HTML files inline without a restrictive Content Security Policy, allowing JavaScript execution. By uploading an HTML file and opening it via display-attachment, the script runs in the Roundcube origin. Attacking a user is only possible by setting cookies on the domain, which can be done from any subdomain of the site where Roundcube is hosted.
C:\Windows\System32\drivers\etc\hosts on Windows or /etc/hosts on Unix to contain the following entries:
pyus3rStored XSS on a cloud-drive public-share preview endpoint that serves user-uploaded HTML as text/html on the main application origin with a permissive CSP. A single click on the share link executes attacker JavaScript with same-origin access to the victim's session, allowing the attacker to impersonate the victim against every drive API — exfiltrating collaborator PII, the full file tree, payment-system identifiers and five cross-service XSRF tokens, modifying account preferences, and silently turning every private file in the victim's drive into a public URL.
pyus3rA Reflected XSS vulnerability was identified in a navigation/routing endpoint of a financial institution's web application. The callback GET parameter is reflected unsanitized into a JavaScript context on the client side, allowing arbitrary code execution.
tonysecStored Cross-Site Scripting via SVG File Upload Filter Bypass
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In