CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-6017
Atmail Webmail Server version 7.1.3 contains a stored cross-site scripting (XSS) vulnerability. An attacker can place the stored XSS in the e-mail body and send it to another user on the mail system, allowing them to inject arbitrary HTML content (including script). This may allow the attacker the ability to steal authentication cookies or other sensitive information.
Apply an Update
Thanks to Zhao Liang of Beijing Leadsec Technology Co., Ltd for reporting this vulnerability.
This document was written by Adam Rauf & Jared Allar.