AliasVault Web Client Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and prior. The vulnerability arises because HTML content in received emails is rendered within an iframe using 'srcdoc', which lacks proper origin isolation. This allows an attacker to send a crafted email with malicious JavaScript to any AliasVault email alias. When the recipient views the email in the web client, the script executes in the same origin as the application. The vulnerability exists because no sanitization or sandboxing was applied to the email HTML before rendering.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the email.

Reproduction

To reproduce this vulnerability, send an email containing malicious JavaScript to an AliasVault email alias. Ensure that the recipient is using a version of the AliasVault Web Client that is 0.25.3 or lower. When the recipient views the email in the web client, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to AliasVault version 0.26.0 or later, where this vulnerability has been fixed by sanitizing HTML with DOMPurify before rendering and adding sandbox attributes to iframes to restrict script execution.