Cross-Site Scripting Vulnerability

Hello Philip,

thank you very much for your great work. I like to use your email-autoconf Software.

My collegs found a cross-site scripting vulnerability. If you call:

https://mobileconfig.example.com/email.mobileconfig?email=test%40example.com%3C%2Fstring%3E%3Csvg+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Ealert%28%22PROOF-OF-EXPLOIT%22%29%3C%2Fscript%3E%3C%2Fsvg%3E%3Cstring%3E

decoded Version:

https://mobileconfig.example.com/email.mobileconfig?email=test@example.com</string><svg+xmlns="http://www.w3.org/2000/svg"><script>alert("PROOF-OF-EXPLOIT")</script></svg><string>

it will execute the java-script. I know, it does not affect the functionality of the software, but the security team needs a solution anyway. What do you mean, i use an apache2 as the proxy, this behave depends to apache2 or python3-source?

Thanks in advance, Oliver Gaida

Edited Aug 15, 2025 by Oliver Gaida

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information