Horde IMP Webmail 4.0.7 Message Page cross site scripting

VulDB: Horde IMP Webmail 4.0.7 Message Page cross site scripting

General

Horde

scipID: 5467
Affected: Horde IMP Webmail 4.0.7
Published: 05/29/2012
Risk: problematic
Entry: 82.8% complete
Created: 06/01/2012
Updated: 06/06/2012

Summary

A vulnerability classified as problematic was found in Horde IMP Webmail 4.0.7. Affected by this vulnerability is an unknown function of the component Message Page. The manipulation with an unknown input leads to a cross site scripting vulnerability. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was disclosed 05/29/2012 as changelog entry. The advisory is shared for download at github.com. The exploitability is told to be easy. The attack can be launched remotely. A single authentication is required for exploitation. Technical details are unknown but a public exploit is available.

After immediately, there has been an exploit disclosed.

Upgrading to version 4.0.8 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the vulnerability database at OSVDB (82370).

CVSS

Base Score: 9.0 (CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C) [?]

Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability
Local	High	Multiple	None	None	None
Adjacent	Medium	Single	Partial	Partial	Partial
Network	Low	None	Complete	Complete	Complete

Exploiting

Class: Cross site scripting
Local: No
Remote: Yes

Availability: Yes
Access: Public

Countermeasures

Recommended: Upgrade
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 0 days since known

Upgrade: IMP Webmail 4.0.8