Kerio MailServer < 6.6.2 (KSEC-2008-12-16-01) Multiple XSS
Medium Nessus Network Monitor Plugin ID 4797
SynopsisThe remote mail server is affected by several cross-site scripting vulnerabilities.
DescriptionAccording to its banner, the remote host is running a version of Kerio MailServer prior to 6.6.2. Multiple files in such versions are reportedly affected by cross-site scripting vulnerabilities.
- The application fails to sanitize input to the 'folder' parameter of the 'mailCompose.php' script as well as the 'daytime' parameter of the 'calendarEdit.php' script before using it to generate dynamic HTML.
- Content passed to 'sent' parameter of the 'error413.php' script is not sanitized before being returned to the user.
Successful exploitation of these issues could lead to execution of arbitrary HTML and script code in a user's browser within the security context of the affected site.
SolutionUpgrade to versaion 6.6.2 or higher.