vendor:
IMail Server
by:
Peru (GoSecure!)
7,5
CVSS
HIGH
Persistent XSS
79
CWE
Product Name: IMail Server
Affected Version From: 12.3
Affected Version To: 12.4 before 12.4.1.15
Patch Exists: YES
Related CWE: 2014-3878
CPE: 2.3:a:ipswitch:imail_server:12.4
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: WindowsServer2008R2 STD SP1
2014
IPSwitch IMail Server WEB client 12.4 persistent XSS
Four injection points were useful to create a persistent Cross Site Scripting. All the injections are reached using default Web Client interface, but the Web Client Lite seems to be not vulnerable to these tests. The JavaScript is executed simply viewing the calendar or when the Reminder pops up.
Mitigation:
Ensure that user input is properly sanitized and validated before being used in the application.
