CVE-2012-2575

Name of the Vulnerable Software and Affected Versions SurgeMail version 6.0a4

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IFRAME element in the body of an HTML e-mail message.

Recommendations For version 6.0a4, consider disabling the handling of IFRAME elements in HTML e-mail messages until a patch is available. Restrict access to the email module to minimize the risk of exploitation. Avoid using the SRC attribute in the IFRAME element in the email body until the issue is resolved.