JAWmail malicious email message cross-site scripting
| jawmail-mail-message-xss (10152) |  Medium Risk |
Description:
JAWmail (Just Another Web Mail) is vulnerable to cross-site scripting. A remote attacker could create a malicious email containing script code embedded within HTML tags in attachment file names or within the message body, which would be executed in the victim's Web browser, once the message is opened. An attacker could use this vulnerability to gain unauthorized access to the victim's email account.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of JAWmail (2.0rc3 or later), available from the SourceForge.net Web site. See References.
References:
- Full-Disclosure Mailing List, Sun Sep 22 2002 - 19:27:43 CDT: JAWmail XSS .
- JAWmail Web site: JAWmail :: Hello.
- SourceForge.net: Project: Just Another Web Mail: File List.
- BID-5771: Rudi Benkovic JAWMail Script Injection Vulnerability
- CVE-2002-1495: Cross-site scripting (XSS) vulnerability in JAWmail 1.0-rc1 allows remote attackers to insert arbitrary script or HTML via (1) attached file names in the Read Mail feature, (2) text/html mails that are displayed in a pop-up window, and (3) certain malicious attributes within otherwise safe tags, such as onMouseOver.
Platforms Affected:
- JAWmail Project JAWmail 1.0-rc1
Reported:
Sep 23, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net