AeroMail is prone to multiple remote vulnerabilities, including: 1. A cross-site scripting vulnerability. 2. Multiple HTML-injection vulnerabilities. 3. Multiple cross-site request forgery vulnerabilities. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. The attacker may also be perform certain administrative functions and delete arbitrary files. Other attacks are also possible.

A third party patch is available. Please see the references for details.

• http://www.nicolaas.net/aeromail/index.php?page=index
• http://www.securityfocus.com/bid/48510

---

Updated on 2015-03-25