header-logo
Suggest Exploit
vendor:
NOCC Webmail
by:
SecurityFocus
8.8
CVSS
HIGH
Script Injection
79
CWE
Product Name: NOCC Webmail
Affected Version From: 1.3
Affected Version To: 1.3.2002
Patch Exists: YES
Related CWE: CVE-2002-1390
CPE: o:nocc:nocc
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2002

NOCC Webmail Script Injection Vulnerability

NOCC webmail is vulnerable to script injection attacks, which allow malicious attackers to include script code in an email and potentially gain full access to a victim's mailbox. An example of such an attack is the use of a <script> tag to display the victim's session ID.

Mitigation:

Users should upgrade to the latest version of NOCC webmail, which is not vulnerable to this attack.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4740/info

NOCC is a web based email client implemented in PHP4. It includes support for POP3, SMTP and IMAP servers, MIME attachments and multiple languages.

A script injection issue has been reported with the way emails are displayed to users of NOCC webmail. A malicious attacker can include script code in an email and potentially get full access to a victim's mailbox. 

<script>alert(document.cookie)</script>

This will show the victim's session id.

Navigation

Suggest Exploit

Services By CQR