Detections
Analytics
NeoMail neomail.pl sort Parameter XSS
medium Nessus Plugin ID 20931
Language:
Synopsis
The remote web server contains a Perl application that is affected by a cross-site scripting issue.Description
The remote host is running NeoMail, an open source webmail application written in Perl.The installed version of this software fails to validate the 'sort' parameter in the 'neomail.pl' script before using it to generate dynamic content. An attacker may be able to exploit this issue to inject arbitrary HTML and script code into a user's browser, to be executed within the security context of the affected application, resulting in the theft of session cookies and a compromise of a user's account.
Solution
Upgrade to NeoMail version 1.28 or later.See Also
https://www.securityfocus.com/archive/1/423901/30/0/threaded
Plugin Details
Severity: Medium
ID: 20931
File Name: neomail_sort_xss.nasl
Version: 1.16
Type: remote
Family: CGI abuses : XSS
Published: 2/16/2006
Updated: 1/19/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:neomail:neomail
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Vulnerability Publication Date: 2/3/2006
Reference Information
CVE: CVE-2006-0536
BID: 16480