HTML-injection vulnerability in Horde IMP Webmail

vendor:

IMP Webmail

by:

Unknown

7.5

CVSS

HIGH

HTML-injection

CWE

Product Name: IMP Webmail

Affected Version From: IMP 4.3.7

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:horde:imp:4.3.7

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

HTML-injection vulnerability in Horde IMP Webmail

Horde IMP Webmail is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data before it is used in dynamic content. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Mitigation:

Unknown

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/43515/info

Horde IMP Webmail is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data before it is used in dynamic content.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Horde IMP 4.3.7 is affected; other versions may also be vulnerable.

http://www.example.com/path/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create