MailMarshal Spam Quarantine Management (SQM) Multiple Component XSS

This script is Copyright (C) 2008-2011 Tenable Network Security, Inc.


Synopsis :

The remote host has an application that is affected by a cross-site
scripting vulnerability.

Description :

The remote host is running MailMarshal SMTP, a mail server for
Windows.

The Spam Quarantine Management web component included with the version
of MailMarshal SMTP installed on the remote host is affected by a
persistent cross-site scripting vulnerability in its 'delegated spam
management' feature. By exploiting this issue, it may be possible for
an internal user to install a malicious program on another internal
user's (victim) computer, steal session cookies, or launch similar
attacks.

Successful exploitation would require a victim to accept an email
invitation for delegated spam management from an attacker.

See also :

http://www.marshal.com/kb/article.aspx?id=12175

Solution :

Upgrade to MailMarshal SMTP 6.4 or later.

Risk factor :

Low / CVSS Base Score : 3.5
(CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS Temporal Score : 2.9
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 34336 (mailmarshal_spam_quarantine_xss.nasl)

Bugtraq ID: 31483

CVE ID: CVE-2008-2831