- 28 May 2008Advisories » Zarafa Multiple Remote Cross-Site Scripting Vulnerabilities
| Release Date: | 09/05/2008 | Severity: | Moderately Critical  |
| SecWatch Advisory: | SWID1021133 | Cause: | Input validation error |
| Solution Status: | Vendor Patch | Impact: | Cross Site Scripting |
| Exploit Status: | None Available | Access Vector: | From remote |
| Affected Software: | Zarafa 6.x | ||
| Original Advisory: | http://download.zarafa.com/zarafa/release/docs/changelog.en.txt |
||
| Secunia: | SA30102 | ||
Description:
Multiple input validation vulnerabilities in Zarafa have been reported, which can be exploited by remote users to conduct cross-site scripting attacks.
User-supplied input passed via HTML in email headers and via the subject of an email is not properly sanitised before being displayed. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Various other issues have also been reported.
Affected:
Zarafa version 6.02.
Solution:
The vulnerabilities have been fixed in version 6.02.
Credits:
Reported by vendor.
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.