CVE-2012-2571

Name of the Vulnerable Software and Affected Versions WinWebMail Server version 3.8.1.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via an e-mail message body using various methods, including a SCRIPT element, crafted Cascading Style Sheets (CSS) expressions, or specific attributes in HTML elements.

Recommendations For WinWebMail Server version 3.8.1.6, consider disabling the processing of e-mail message bodies containing SCRIPT elements, CSS expressions, or specific attributes until a patch is available. Restrict access to the e-mail functionality to minimize the risk of exploitation. Avoid using the STYLE attribute in arbitrary elements and restrict the use of IFRAME elements with crafted SRC attributes. Additionally, restrict the use of UTF-7 text in HTTP-EQUIV="CONTENT-TYPE" META elements.