SurgeMail SurgeWeb Cross Site Scripting Vulnerability Network Vulnerability

Summary

The host is running SurgeMail and is prone to Cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to NetWin Surgemail version 4.3g or later. For updates refer to http://netwinsite.com/surgemail/

Insight

The flaw is caused by improper validation of user-supplied input via the 'username_ex' parameter to the SurgeWeb interface '/surgeweb', which allows the attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Affected

NetWin Surgemail versions before 4.3g

References

http://ictsec.se/?p=108
http://secunia.com/advisories/41685
http://www.securityfocus.com/archive/1/archive/1/514115/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-3201

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Ampache Reflected Cross Site Scripting Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
AMSI 'file' Parameter Directory Traversal Vulnerability
/doc directory browsable ?

Take action and discover your vulnerabilities