Alt-N MDaemon 12.5.6/13.0.3 – Email Body HTML/JS Injection

• Exploit Database
• 109 阅读

• 作者： QSecure & Demetris Papapetrou
  日期： 2013-02-21
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/24534/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

  ============================================================== Alt-N MDaemon Email Body HTML/JS Injection Vulnerability ==============================================================   Software:Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: HTML/JS Injection Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_Email_Body_HTML_JS_Injection.html Discovered: 14/09/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013   VULNERABILITY DESCRIPTION: ========================== Alt-N MDaemon is prone to an HTML/Javascript injection vulnerability because it fails to sanitize user-supplied input.   Attacker-supplied HTML and/or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.   Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.   PoC Exploit: ============ <<!-------->script>alert(&apos;XSS&apos;);<<!-------->/script>?iref=allsearch