NetWin Surgemail: XSS vulnerability | Vulnerability Managment Blog

Hide threads | Keyboard Shortcuts

vulnerability management 8:35 am on October 9, 2010 Permalink Reply
Tags: critical watch ( 900 ), netwin surgemail xss, security ( 505 ), security advisories ( 695 ), vulnerability ( 725 ), vulnerability management ( 512 )

NetWin Surgemail: XSS vulnerability

Users of NetWin Surgemail please be advised of a Cross-site scripting (XSS) vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Amplify’d from http://www.criticalwatch.com

NetWin-SA-01/04/2010: NetWin Surgemail XSS vulnerability

Problem

——-

Cross-site scripting (XSS) vulnerability in the Surgemail webmail login page

(/surgemail) allows remote attackers to inject arbitrary web script or HTML.

Input passed to the “username_ex” parameter is not properly sanitised before

being returned to the user, therefore enabling the execution of arbitrary

script code in a user’s browser session, which can lead to cookie theft and

session hijacking.

The vulnerability is confirmed to exist in version 4.3e (latest version at

the date of vulnerability discovery). Previous versions may also be vulnerable.
Read more at http://www.criticalwatch.com

See this Amp at http://bit.ly/c80QKE

Reply Cancel reply

c: Compose new post
j: Next post/Next comment
k: Previous post/Previous comment
r: Reply
e: Edit
o: Show/Hide comments
t: Go to top
l: Go to login
h: Show/Hide help
shift + esc: Cancel