| VID |
21334 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IMP software on the remote Web server, according to its version number, has a Cross-Site Scripting Vulnerability in HTML+TIME module.
An Internet Explorer technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages. IMP versions 3.2.4 or earlier could allow a remote attacker to inject malicious HTML or Script within an E-Mail, caused by improper sanitization of HTML+TIME module. Successful exploitation allows execution of arbitrary HTML and script code in a other IMP user's Web browser when a malicious E-Mail is viewed.
* Note: This check solely relied on the version number of IMP on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.greymagic.com/security/advisories/gm005-mc/
http://www.osvdb.org/displayvuln.php?osvdb_id=8293
* Platforms Affected:
Horde IMP 3.0
Horde IMP 3.1, 3.1.2
Horde IMP 3.2, 3.2.1, 3.2.2, 3.2.3, 3.2.4
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version (3.2.5 or later) of IMP, available from the Horde download site at http://ftp.horde.org/pub/imp/ |
| Related URL |
CVE-2004-1443 (CVE) |
| Related URL |
10845 (SecurityFocus) |
| Related URL |
16866 (ISS) |
|
