GeekWithCoffee
commented
5 years ago Just a heads up that this XSS vulnerability got assigned a CVE number and ended up on US-CERT's weekly vulnerability summary e-mail, so someone should probably take care of this.
Hi. when using rcfilters plugin version 2.1.6, two parameters "_whatfilter" and "_messages" do not sanitize user input. therefore you can inject javascript code in them. since it's a self XSS, it may not have any impact security. a user can inject js and html code in his/her own account filters list.
tested on Roundcube Webmail version 1.0.5