LEAKFREE-2014-006 / OSVDB-115636

HumHub Humhub-modules-mail MailController.php actionCreate() Stored XSS

[+] OSVDB-ID: OSVDB-115636
[+] LF-ID: LEAKFREE-2014-006
[+] CVSS: 7.0
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier

Vulnerability

Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction with Humhub 0.10.0-rc.1 or prior) is affected by the same vulnerability as in LEAKFREE-2014-008. The vulnerable code is located in the function actionCreate() in "/controllers/MailController.php". Since every private message sent to a humhub user is also sent to the user's e-mail in the form of a HTML-enabled notification e-mail, an attacker can insert custom HTML elements in the body of the e-mail with grave consequences. It should be noted that the displayed in-system private messages are not susceptible to this attack vector.

Mitigation

Upgrade to the latest HumHub release [1]

References

1. https://github.com/humhub/humhub/releases

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)