Multiple Reflected Cross-Site Scripting (XSS) in McAfee Email Gateway (formerly IronMail)

vendor:

Secure Mail (Ironmail)

by:

Nahuel Grisolía

4,3

CVSS

MEDIUM

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: Secure Mail (Ironmail)

Affected Version From: Secure Mail (Ironmail) ver.6.7.1

Affected Version To: Secure Mail (Ironmail) ver.6.7.1

Patch Exists: YES

Related CWE: N/A

CPE: a:mcafee:secure_mail

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FreeBSD 6.2 / Apache-Coyote 1.1

2010

Multiple Reflected Cross-Site Scripting (XSS) in McAfee Email Gateway (formerly IronMail)

Multiple Reflected Cross Site Scripting vulnerabilities were found in Ironmail's Web Access console, because the application fails to sanitize user-supplied input. The vulnerabilities can be triggered by any logged-in user.

Mitigation:

Install McAfee Email Gateway 6.7.2 Hotfix 2.

Source

Exploit-DB raw data:

Advisory Name: Multiple Reflected Cross-Site Scripting (XSS) in McAfee Email Gateway (formerly
IronMail)
Vulnerability Class: Reflected Cross-Site Scripting (XSS)
Release Date: Tue Apr 6, 2010
Affected Applications: Secure Mail (Ironmail) ver.6.7.1
Affected Platforms: FreeBSD 6.2 / Apache-Coyote 1.1
Local / Remote: Remote
Severity: Medium – CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Researcher: Nahuel Grisolía

Vendor Status: Official Patch Released. Install McAfee Email Gateway 6.7.2 Hotfix 2.
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:
Multiple Reflected Cross Site Scripting vulnerabilities were found in Ironmail's Web Access console,
because the application fails to sanitize user-supplied input. The vulnerabilities can be triggered by any
logged-in user.

Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12092.pdf (cybsec_advisory_2010_0402.pdf)