HumHub Humhub-modules-mail MailController.php actionCreate() Stored XSS
|[+]||Versions affected:||0.10.0-rc1 and earlier|
Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction with Humhub 0.10.0-rc.1 or prior) is affected by the same vulnerability as in LEAKFREE-2014-008. The vulnerable code is located in the function actionCreate() in "/controllers/MailController.php". Since every private message sent to a humhub user is also sent to the user's e-mail in the form of a HTML-enabled notification e-mail, an attacker can insert custom HTML elements in the body of the e-mail with grave consequences. It should be noted that the displayed in-system private messages are not susceptible to this attack vector.
Upgrade to the latest HumHub release