Open-Xchange: Stored XSS in Template Documents

2016-11-02T07:26:06
ID H1:179559
Type hackerone
Reporter haquaman
Modified 2016-12-28T01:41:46

Description

Steps to reproduce:

Setup: Edit My Contact Data: - first name: ' onmouseover=alert(1) data-first=' - last name: anything

  1. Create a new text document, and make sure it is saved.
  2. Click Review, check "Track Changes".
  3. Make another edit, it should show coloured now (as it is tracked).
  4. Click File, arrow next to "Save in Drive", then "Save as template". Click OK.
  5. The new template should open, hover over the added text to trigger the payload.

Steps 4 and 5 can be replaced with closing the current file and reopening it.