Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Kerio MailServer < 6.6.2 (KSEC-2008-12-16-01) Multiple XSS

Medium

Synopsis

The remote mail server is affected by several cross-site scripting vulnerabilities.

Description

According to its banner, the remote host is running a version of Kerio MailServer prior to 6.6.2. Multiple files in such versions are reportedly affected by cross-site scripting vulnerabilities.

- The application fails to sanitize input to the 'folder' parameter of the 'mailCompose.php' script as well as the 'daytime' parameter of the 'calendarEdit.php' script before using it to generate dynamic HTML.

- Content passed to 'sent' parameter of the 'error413.php' script is not sanitized before being returned to the user.

Successful exploitation of these issues could lead to execution of arbitrary HTML and script code in a user's browser within the security context of the affected site.

Solution

Upgrade to versaion 6.6.2 or higher.