Hello.
Recently we found out that some Javascript can be executed inside Carbonio web interface.
We had received mail with this code inside mail body
[Original report redacted — full proof-of-concept and reproduction steps shared privately at security@zextras.com for coordinated disclosure.
and two pop-ups with this text - Javascript from servername 1 - were shown when I just open this mail. I guess this looks like vulnerability.
Affected only Chrome-based browsers.
Steps to reproduce:
- Receive the code above in separate email, or attach this code as EML file
- Open email or attached EML file with this code
- Javascript Pop-up shows up twice
What can we do to prevent this? Thank you
zmcontrol -v Carbonio Release 26.3.1
Due to the connectivity lag I accidentally posted the same thing three times, other two topic can be deleted.
Anyway, is there any bug tracker to post this kind of issue? Topics here in General rarely answered.
Thank you for raising this carefully and for the clear reproduction steps.
I tried to reproduce on a separate Carbonio Release 26.3.2 but couldn't. The multi-vector payload was properly sanitized in both Inbox and Junk render paths. All the script/svg/iframe/style/meta tags were stripped from the email content before display; only inert text remained.
So either the body render sanitization is working differently or there is something different in your environment.
Could you please upgrade to 26.3.2 and retest?
Thanks for the answer.
Well, just copy paste this code apparently don't work really
I attached the example of the mail, sanitized one, which provoke Javascript pop-up in the link below
https://pixeldrain.com/u/TcCXA2uf
Hi,
Thank you so much for your time and effort.
Could you please share your detailed findings at security@zextras.com ?
That way our team could collaborate regarding your findings.
For security purpose, I am redacting sensitive information from previous replies.
Thanks for your understanding.