IlohaMail user Parameter XSS

medium Nessus Plugin ID 14637

Synopsis

The remote web server contains an PHP application that is affected by a cross-site scripting vulnerability.

Description

According to its banner, the remote web server is running IlohaMail version 0.8.10 or earlier. Such versions do not properly sanitize the 'user' parameter before using it to generate dynamic HTML output. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to IlohaMail version 0.8.12 or later.

Note that 0.8.11 was released to address this issue, but that version has a crippling bug.

See Also

http://www.nessus.org/u?ce7ea0ed

Plugin Details

Severity: Medium

ID: 14637

File Name: ilohamail_user_parameter.nasl

Version: 1.16

Type: remote

Published: 9/2/2004

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: www/PHP

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/1/2003

Reference Information

BID: 9131

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990