CVE-2005-1488

Name of the Vulnerable Software and Affected Versions: Merak Mail Server version 8.0.3 with Icewarp Web Mail version 5.4.2

Description: The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via several fields, including the E-mail address, Note, or Public Certificate fields to "address.html", "addressaction.html", the Signature field to "settings.html", or the Shared calendars to "calendarsettings.html".

Recommendations: For Merak Mail Server version 8.0.3 with Icewarp Web Mail version 5.4.2, consider restricting access to the address.html, addressaction.html, settings.html, and calendarsettings.html endpoints until a patch is available. As a temporary workaround, avoid using the E-mail address, Note, Public Certificate, Signature, and Shared calendars fields in the affected endpoints. At the moment, there is no information about a newer version that contains a fix for this issue.