PT-2004-2623 · Merak · Merak Webmail Server

Published

2004-08-17

·

Updated

2017-07-11

·

CVE-2004-1719

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Merak Webmail Server version 5.2.7
Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different HTML files. Specifically, the vulnerable parameters include:
  • category, cserver, ext, global, showgroups, or showlite parameters to "address.html",
  • spage or autoresponder parameters to "settings.html",
  • folder parameter to "readmail.html",
  • attachmentpage text error parameter to "attachment.html",
  • folder, ct, or cv parameters to "calendar.html",
  • an <img> tag,
  • or the subject of an e-mail message.
Recommendations For Merak Webmail Server version 5.2.7, consider disabling access to the specified parameters in the affected HTML files until a patch is available. Restrict the use of the category, cserver, ext, global, showgroups, showlite, spage, autoresponder, folder, attachmentpage text error, ct, and cv parameters, as well as the use of <img> tags and e-mail message subjects, to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CVE-2004-1719

Affected Products

Merak Webmail Server