PT-2004-2623 · Merak · Merak Webmail Server

Publicado

2004-08-17

·

Atualizado

2017-07-11

·

CVE-2004-1719

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Merak Webmail Server version 5.2.7
Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different HTML files. Specifically, the vulnerable parameters include:
  • category, cserver, ext, global, showgroups, or showlite parameters to "address.html",
  • spage or autoresponder parameters to "settings.html",
  • folder parameter to "readmail.html",
  • attachmentpage text error parameter to "attachment.html",
  • folder, ct, or cv parameters to "calendar.html",
  • an <img> tag,
  • or the subject of an e-mail message.
Recommendations For Merak Webmail Server version 5.2.7, consider disabling access to the specified parameters in the affected HTML files until a patch is available. Restrict the use of the category, cserver, ext, global, showgroups, showlite, spage, autoresponder, folder, attachmentpage text error, ct, and cv parameters, as well as the use of <img> tags and e-mail message subjects, to minimize the risk of exploitation.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Identificadores relacionados

CVE-2004-1719

Produtos afetados

Merak Webmail Server