Open WebMail Content-Type XSS Network Vulnerability

Summary

The target is running at least one instance of Open WebMail whose version is 2.32 or earlier. Such versions are vulnerable to a cross site scripting attack whereby an attacker can cause a victim to unknowingly run arbitrary Javascript code by reading a MIME message with a specially crafted Content-Type or Content-Description header. For further information, see : http://www.openwebmail.org/openwebmail/download/cert/advisories/SA-04:05.txt http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt ***** OVS has determined the vulnerability exists on the target ***** simply by looking at the version number of Open WebMail ***** installed there.

Solution

Upgrade to Open WebMail version 2.32 20040603 or later.

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Struts2 'XWork' Information Disclosure Vulnerability
Apache Tomcat source.jsp malformed request information disclosure
Apache Open For Business HTML injection vulnerability
Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
Apache Subversion Module Metadata Accessible

Take action and discover your vulnerabilities