Summary
The target is running at least one instance of Simple Form which fails to remove newlines from variables used to construct message headers. A remote attacker can exploit this flaw to add to the list of recipients, enabling him to use Simple Form on the target as a proxy for sending abusive mail or spam.
Solution
Upgrade to Simple Form 2.3 or later.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
- 123 Flash Chat Multiple Security Vulnerabilities
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities