CVE-2007-2592

Name of the Vulnerable Software and Affected Versions Nokia Intellisync Mobile Suite versions 6.4.31.2, 6.6.0.107, 6.6.2.2

Description The issue involves multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or HTML. This is possibly related to Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express. The username parameter to the "de/pda/dev logon.asp" endpoint is vulnerable, as well as multiple unspecified vectors in files such as "usrmgr/registerAccount.asp" and "de/create account.asp".

Recommendations For Nokia Intellisync Mobile Suite version 6.4.31.2, avoid using the username parameter in the "de/pda/dev logon.asp" endpoint until the issue is resolved. For Nokia Intellisync Mobile Suite version 6.6.0.107, restrict access to the "usrmgr/registerAccount.asp" and "de/create account.asp" files to minimize the risk of exploitation. For Nokia Intellisync Mobile Suite version 6.6.2.2, consider disabling the affected endpoints until a patch is available.