IceWarp Merak Mail Server < 9.0.0 BODY Element XSS

medium Nessus Plugin ID 26069

Language:

Synopsis

The remote webmail server is affected by a cross-site scripting vulnerability.

Description

The remote host is running IceWarp Merak Mail Server - a webmail server for Windows and Linux.

According to its banner, the version of IceWarp installed on the remote host fails to properly sanitize email messages before displaying them. If a user reads a specially crafted message, a remote attacker could leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected application.

Solution

Upgrade to Icewarp Merak Mail Server version 9.0.0 or later as that reportedly resolves the issue.

Plugin Details

Severity: Medium

ID: 26069

File Name: icewarp_9.nasl

Version: 1.26

Type: remote

Family: CGI abuses : XSS

Published: 9/24/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:icewarp:webmail

Required KB Items: www/icewarp

Exploit Ease: No exploit is required

Vulnerability Publication Date: 9/18/2007

Reference Information

CVE: CVE-2007-5046

BID: 25708

CWE: 79

Detections

Analytics