| VID |
22524 |
| Severity |
30 |
| Port |
4096,32000 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
A version of IceWarp Web Mail which is older than version 5.3.3 is detected as running on the host. IceWarp Web Mail is a Web mail server for Microsoft Windows platforms.
The remote web server hosts a PHP script that is susceptible to a cross-site scripting attack. The script 'install/index.html' does not properly sanitize input data to the 'lang' parameter before including it in HTML generated dynamically.
As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.
This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
* References:
http://www.icewarp.com/download/whatsnew-10.3.0.pdf
* Platforms Affected:
IceWarp IceWarp Server before 10.3
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of IceWarp Web Mail (10.3.0 or later), available from the IceWarp Download Web page at http://www.icewarp.com/ |
| Related URL |
(CVE) |
| Related URL |
47723 (SecurityFocus) |
| Related URL |
(ISS) |
|
