IlohaMail read_message.php Attachment Multiple Field XSS

This script is Copyright (C) 2005-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server contains a PHP application that is subject to
cross-site scripting attacks.

Description :

Based on its version number, the installation of IlohaMail on the
remote host does not properly sanitize attachment file names, MIME
media types, and HTML / text email messages. An attacker can exploit
these vulnerabilities by sending a specially crafted message to a user
which, when read using an affected version of IlohaMail, will allow
the attacker to execute arbitrary HTML and script code in the user's browser
within the context of the affected website.

See also :

Solution :

Upgrade to IlohaMail version 0.8.14-rc3 or newer.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 18050 (ilohamail_email_xss.nasl)

Bugtraq ID: 13175

CVE ID: CVE-2005-1120

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now