Detections
Analytics
HastyMail HTML Attachment Script Execution
medium Nessus Plugin ID 14370
Language:
Synopsis
The remote web server is running a PHP application that is affected by a cross-site scripting vulnerability.Description
The remote host is running HastyMail, a PHP-based mail client application.The installed version contains a flaw caused by email attachments not being properly defined int he Content-Disposition HTTP header. An attacker could exploit this flaw to inject Javascript or ActiveX code in an attachment.
Solution
Upgrade to HastyMail 1.0.2 or 1.2.0, as this reportedly fixes the issue.See Also
Plugin Details
Severity: Medium
ID: 14370
File Name: hastymail_attachment_exec.nasl
Version: 1.16
Type: remote
Family: CGI abuses
Published: 8/25/2004
Updated: 1/19/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
Required KB Items: www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: No exploit is required
Vulnerability Publication Date: 8/24/2004
Reference Information
CVE: CVE-2004-2704
BID: 11022