| VID |
21367 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IlohaMail, according to its version number, has an email header HTML injection vulnerability. IlohaMail is a webmail package written in PHP. IlohaMail version 0.8.12 and earlier are vulnerable to various cross-site scripting attacks, due to a failure of the application to properly sanitize user-supplied email header strings. This flaw could allow a remote attacker to inject arbitrary HTML tags to a specially crafted e-mail being read by the victim. When correctly exploited, it will permit the execution of malicious scripts to run in the context of the victim's browser.
* Note: This check solely relied on the version number of the remote IlohaMail software to assess this vulnerability, so this might be a false positive.
* References:
http://www.securityfocus.com/archive/1/364827
http://www.securiteam.com/unixfocus/5CP0520DFY.html
* Platforms Affected:
IlohaMail version 0.8.12 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of IlohaMail (0.8.13 or later), available from the IlohaMail Download site at http://sourceforge.net/projects/ilohamail/ |
| Related URL |
(CVE) |
| Related URL |
10668 (SecurityFocus) |
| Related URL |
16285 (ISS) |
|
