Vulnerabilities > CVE-2007-0651 - HTML Injection and Cross-Site Scripting vulnerability in MailEnable Web Mail Client
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Professional before 2.37 allow remote attackers to inject arbitrary Javascript script via (1) e-mail messages and (2) the ID parameter to (a) right.asp, (b) Forms/MAI/list.asp, and (c) Forms/VCF/list.asp in mewebmail/base/default/lang/EN/.
Vulnerable Configurations
Nessus
NASL family | CGI abuses |
NASL id | MAILENABLE_WEBMAIL_XSS.NASL |
description | The Web Mail Client bundled with the version of MailEnable installed on the remote host reportedly fails to properly sanitize email messages and various script parameters of malicious script code, which can lead to cross-site scripting, cross-site request forgery, and script insertion attacks against the affected software. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 24345 |
published | 2007-02-15 |
reporter | This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/24345 |
title | MailEnable Web Mail Client Multiple Vulnerabilities (XSS, CSRF) |
code |
|
References
- http://osvdb.org/33188
- http://osvdb.org/33189
- http://osvdb.org/33190
- http://secunia.com/advisories/23998
- http://secunia.com/secunia_research/2007-38/advisory/
- http://securityreason.com/securityalert/2258
- http://www.mailenable.com/Professional20-ReleaseNotes.txt
- http://www.securityfocus.com/archive/1/460063/100/0/threaded
- http://www.securityfocus.com/bid/22554
- http://www.vupen.com/english/advisories/2007/0595
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32476
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32480