PT-2020-9305 · Unknown · Edison Mail
Luigi Gubello
·
Published
2020-03-18
·
Updated
2020-03-19
·
CVE-2019-12368
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Edison Mail versions 1.7.1 and earlier
Description
The issue allows for XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READ EXTERNAL STORAGE permission.
Recommendations
For Edison Mail versions 1.7.1 and earlier, consider disabling the READ EXTERNAL STORAGE permission as a temporary workaround until a patch is available. Restrict access to event attributes and src attributes in the application to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Edison Mail