| Title | Icewarp Webclient 10.1.3/10.2.0 Https Post Request Cross Site Scripting |
|---|
| Description | CVE-2010-5340
> [Suggested description]
> IceWarp Webclient before 10.2.1 has XSS via
> an HTTP POST request:
> webmail/ with the parameter password is non-persistent in 10.2.0.
> ------------------------------------------
> [Additional Information]
> The vulnerability was discovered in 2010, but no CVE-ID was requested at that time.
> ------------------------------------------
> [Vulnerability Type]
> Cross Site Scripting (XSS)
> ------------------------------------------
> [Vendor of Product]
> IceWarp
> ------------------------------------------
> [Affected Product Code Base]
> IceWarp Webclient - 10.1.3 (partially)
> IceWarp Webclient - 10.2.0
> ------------------------------------------
> [Affected Component]
> http[s]://host/admin/login.html (username), http[s]://host/webmail/basic/ (_dlg[captcha][controller]), http[s]://host/webmail/basic/ (_dlg[captcha][action]), http[s]://host/webmail/basic/ (_dlg[captcha][uid]), http[s]://host/webmail/ (password)
> ------------------------------------------
> [Attack Type]
> Remote
> ------------------------------------------
> [Impact Code execution]
> true
> ------------------------------------------
> [Reference]
> https://www.gosecurity.ch/component/content/article/12-services/gosecuritynews/fachartikel/169-gosecurity-advisory-2010120602
> https://vuldb.com/?id.142993
> ------------------------------------------
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> ------------------------------------------
> [Discoverer]
> Ron Ott/Michael Schneider/Thomas Wittmann |
|---|
| User | misc (UID 3) |
|---|
| Submission | 10/11/2019 12:57 (7 years ago) |
|---|
| Moderation | 10/11/2019 14:08 (1 hour later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 143378 [Icewarp Webclient 10.1.3/10.2.0 webmail/ Password Reflected cross site scripting] |
|---|
| Points | 17 |
|---|