IlohaMail user Parameter XSS

This script is Copyright (C) 2004-2015 George A. Theall


Synopsis :

The remote web server contains an PHP application that is affected by
a cross-site scripting vulnerability.

Description :

According to its banner, the remote web server is running IlohaMail
version 0.8.10 or earlier. Such versions do not properly sanitize the
'user' parameter before using it to generate dynamic HTML output. An
attacker may be able to leverage this to inject arbitrary HTML and
script code into a user's browser to be executed within the security
context of the affected site.

See also :

http://www.nessus.org/u?ce7ea0ed

Solution :

Upgrade to IlohaMail version 0.8.12 or later.

Note that 0.8.11 was released to address this issue, but that version
has a crippling bug.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 14637 (ilohamail_user_parameter.nasl)

Bugtraq ID: 9131

CVE ID:

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial