MDaemon WorldClient < 12.0.3 Summary Page Email Subject XSS

medium Nessus Plugin ID 54604

Synopsis

The remote webmail client has a cross-site scripting vulnerability.

Description

According to its banner, the version of MDaemon's WorldClient webmail client running on this port is earlier than 12.0.3. The LookOut theme in such versions reportedly may interpret JavaScript in a message subject in the Summary view.

By sending a specially crafted email to a user who reads mail through the affected webmail client, a remote attacker may be able to exploit this issue to inject arbitrary HTML script code into the user's browser to be executed in the security context of the affected application.

Solution

Upgrade to MDaemon 12.0.3 or later.

See Also

http://files.altn.com/MDaemon/Release/relnotes_en.html

Plugin Details

Severity: Medium

ID: 54604

File Name: mdaemon_worldclient_12_0_3.nasl

Version: 1.9

Type: remote

Published: 5/20/2011

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:alt-n:mdaemon

Exploit Ease: No known exploits are available

Patch Publication Date: 5/17/2011

Vulnerability Publication Date: 5/18/2011

Reference Information

BID: 47896

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990