Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body of an e-mail message, with JavaScript code executed on the Read Mail screen (aka the /_readmail URI).
------------------------------------------
[Vulnerability Type]
Persistent Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
Code Crafters Software Limited
------------------------------------------
[Affected Product Code Base]
Ability Mail Server - 3.3.2
------------------------------------------
[Affected Component]
Web Mail
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
True
------------------------------------------
[CVE Impact Other]
Cookie theft and Data theft
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, the victim must open an email with malicious
Javascript inserted into the body of the email.
—————————————————————
[Solution]
To mitigate the this vulnerability, upgrade to Ability Mail Server 4.2.4
—————————————————————
[ Timeline]
September 2, 2017—Vendor contacted: No Reply
October 2, 2017—Send second email to the Vendor: No Reply 31/10/2017
November 2, 2017—Send a third email to the Vendor contacted with a warming for
an immediate full public disclosure: No Reply
December 19, 2017—Full Disclosure
—————————————————————
[Discoverer]
Aloyce J. Makalanga
—————————————————————
==Attached, proof of concept===
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
