| VID |
22310 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The ArGoSoft Mail Server, according to its banner, has an HTML injection (Cross-Site Scripting) vulnerability. ArGoSoft Mail Server is fully functional SMTP/POP3/Finger server with a built-in HTTP server for Microsoft Windows platforms. ArGoSoft Mail Server versions prior to 1.8.7.0 are vulnerable to an HTML injection vulnerability. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious mail is viewed. A remote attacker could exploit this vulnerability to steal cookie-based authentication credentials from a legitimate user of the Web mail system.
* Note: This check solely relied on the banner of the remote HTTP server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/13571/
* Platforms Affected:
ArGoSoft Mail Server versions prior to 1.8.7.0
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of ArGoSoft Mail Server (1.8.7.0 or later), available from the ArGoSoft Mail Server Download Web page at http://download.cnet.com/ArGoSoft-Mail-Server-Freeware/3000-2369_4-10038331.html |
| Related URL |
CVE-2006-0978 (CVE) |
| Related URL |
16834 (SecurityFocus) |
| Related URL |
24945 (ISS) |
|
