UebiMiau HTML email cross-site scripting
| uebimiau-html-xss (24375) |  Medium Risk |
Description:
UebiMiau is vulnerable to cross-site scripting, caused by improper validation of HTML emails. A remote attacker could exploit this vulnerability by embedding malicious script within HTML tags in an email message to execute script in a victim's Web browser when the message is viewed, allowing the attacker to steal the victim's cookie-based authentication credentials.
Platforms Affected:
- Aldoir Ventura, UebiMiau 2.7.9
Remedy:
Upgrade to the latest version of UebiMiau (2.7.10 or later), available from the UebiMiau Web site. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Sun Jan 29 2006 - 09:22:12 CST, UebiMiau Webmail System Security Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2006-01/0474.html.
- UebiMiau Web site, UebiMiau - Powerful POP3/IMAP Mail Reader at http://www.uebimiau.org/.
- BID-16413: UebiMiau HTML Email HTML Injection Vulnerability
- CVE-2006-0469: Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG tag.
- SA18655: UebiMiau Webmail HTML Email Script Insertion
- VUPEN/ADV-2006-0388: UebiMiau HTML Email Message Handling Cross Site Scripting Vulnerability
Reported:
Jan 29, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net