Cross-Site Scripting vulnerability in @Mail

vendor:

@Mail

by:

Unknown

7.5

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: @Mail

Affected Version From: 6.1.2009

Affected Version To: 6.1.2009

Patch Exists: NO

Related CWE:

CPE: a:atmailwebmail:atmail:6.1.9

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Cross-Site Scripting vulnerability in @Mail

The @Mail application fails to properly sanitize user-supplied data, allowing an attacker to execute arbitrary JavaScript code in the browser of a targeted user. This can lead to the theft of sensitive information such as authentication credentials and enable further attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the @Mail application.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/43377/info

@Mail is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary JavaScript code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

@Mail 6.1.9 is vulnerable; prior versions may also be affected.

http://www.example.com/index.php/mail/auth/processlogin?emailName=&lt;emailName&gt;&amp;emailDomain=&lt;emailDomain&gt;&amp;cssStyle=original&amp;email=&lt;email&gt;password=&lt;password&gt;&amp;requestedServer=&amp;MailType=&lt;script&gt;alert(document.cookie);&lt;/script&gt;