IlohaMail User Parameter Vulnerability Network Vulnerability

Summary

The target is running at least one instance of IlohaMail version 0.8.10 or earlier. Such versions do not properly sanitize the 'user' parameter, which could allow a remote attacker to execute arbitrary code either on the target or in a victim's browser when a victim views a specially crafted message with an embedded image as long as PHP's magic quotes setting is turned off (it's on by default) and the MySQL backend is in use. For a discussion of this vulnerability, see : http://sourceforge.net/mailarchive/forum.php?thread_id=3589704&forum_id=27701 ***** OVS has determined the vulnerability exists on the target ***** simply by looking at the version number of IlohaMail ***** installed there.

Solution

Upgrade to IlohaMail version 0.8.11 or later.

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache Tomcat NIO Connector Denial of Service Vulnerability
Apache Tiles Multiple XSS Vulnerability
Apache Tomcat Information Disclosure Vulnerability
A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
aeNovo Database Content Disclosure Vulnerability

Take action and discover your vulnerabilities