CVE-2013-6229

Name of the Vulnerable Software and Affected Versions Atmail Webmail Server version 7.0.2

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the filter parameter to "/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5" and the mailId[] parameter to "/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash" are affected.

Recommendations For Atmail Webmail Server version 7.0.2, consider disabling access to the affected API endpoints "/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5" and "/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash" until a patch is available. Additionally, restrict the use of the filter and mailId[] parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.