Closed c3l3si4n closed 2 years ago
I can confirm this for 'postmaster' and 'siteadmin' accounts.
Thanks for reporting.
Some years ago i started a web-gui in python #254. Maybe this would be better than the php scripts. But it still needs testing. https://gitlab.com/runout/veximpy
Description Improper validation of user input leads to a reflected cross-site scripting (XSS) or HTML injection in the Vexim2 web application. If a user inserts JavaScript or HTML code into certain parameters, the specified payload will be executed on the page load.
Expected Specifying potentially malicious client-side code should not be executed in the web application by the browser.
Actual The browser successfully executes the specified JS or HTML payloads if a malicious url is opened.
Steps to reproduce
http://127.0.0.1/admingroupdelete.php?group_id=1&localpart=test%27%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Ca%20a=%27
Impact This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack.