JAWmail malicious email message cross-site scripting
| jawmail-mail-message-xss (10152) |  Medium Risk |
Description:
JAWmail (Just Another Web Mail) is vulnerable to cross-site scripting. A remote attacker could create a malicious email containing script code embedded within HTML tags in attachment file names or within the message body, which would be executed in the victim's Web browser, once the message is opened. An attacker could use this vulnerability to gain unauthorized access to the victim's email account.
Platforms Affected:
- JAWmail Project, JAWmail 1.0-rc1
Remedy:
Upgrade to the latest version of JAWmail (2.0rc3 or later), available from the SourceForge.net Web site. See References.
Consequences:
Gain Access
References:
- Full-Disclosure Mailing List, Sun Sep 22 2002 - 19:27:43 CDT, JAWmail XSS at http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1276.html.
- JAWmail Web site, JAWmail :: Hello at http://www.jawmail.org/.
- SourceForge.net, Project: Just Another Web Mail: File List at http://sourceforge.net/project/showfiles.php?group_id=17013.
- BID-5771: Rudi Benkovic JAWMail Script Injection Vulnerability
- CVE-2002-1495: Cross-site scripting (XSS) vulnerability in JAWmail 1.0-rc1 allows remote attackers to insert arbitrary script or HTML via (1) attached file names in the Read Mail feature, (2) text/html mails that are displayed in a pop-up window, and (3) certain malicious attributes within otherwise safe tags, such as onMouseOver.
Reported:
Sep 23, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net