Recent changes to 496: Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

2022-06-10T20:33:16.663000Z

Thanks, Renan for reporting this. I have just fixed that.

Although, these are harmless, as referer check would block all requests to files in question.

#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

2022-06-10T06:17:19.394000Z

For the issue with list_folders.cgi , what was the full URL that triggers the issue? It's cut off in your screenshot..

#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

2022-06-10T05:01:20.968000Z

Hi,

In my opinion, this XSS vulnerability could be used with a CSRF vulnerability (if found).
An attacker could send a HTML page to the victim that execute a automatic/hidden POST request.

Enviado via e-mail seguro de Proton Mail.

------- Original Message -------
Em quinta-feira, 9 de junho de 2022 às 7:58 PM, Ilia iliajie@users.sourceforge.net escreveu:

Thanks for reporting this. We will look into fixing this.

Although, can you think of a real life exploitation of this bug, when this attack could actually be perpetrated agaist another user?

usermin-bugs:#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

Status: open
Group: 1.840
Created: Thu Jun 09, 2022 01:45 AM UTC by Renan
Last Updated: Thu Jun 09, 2022 01:45 AM UTC
Owner: Jamie Cameron

Cross-site scripting (XSS) Stored in "Manage Folders" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Folder Name" input.

Another Cross-site scripting (XSS) Stored in "Address Book" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Address Book's Real Name" input.

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/webadmin/usermin-bugs/496/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

#496 Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

2022-06-09T22:58:06.607000Z

Thanks for reporting this. We will look into fixing this.

Although, can you think of a real life exploitation of this bug, when this attack could actually be perpetrated agaist another user?

Cross-site scripting (XSS) Stored in Usermin's "Manage Folders" and "Address Book"

2022-06-09T01:45:41.570000Z

Cross-site scripting (XSS) Stored in "Manage Folders" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Folder Name" input.

Another Cross-site scripting (XSS) Stored in "Address Book" in Webmin Usermin version 1.840, which allow remote attackers to inject arbitrary web script or HTML via the "Address Book's Real Name" input.