Open-Xchange: XSS - Search - Unescaped contact job
The function responsible for formatting the contact's job company and position doesn't escape its value, which allows to inject arbitrary HTML content. javascript // master/ui/apps/io.ox/contacts/common-extensions.js // develop/ui/apps/io.ox/contacts/listview.js bright: function baton var text =...