Summary
AeroMail is prone to multiple remote vulnerabilities, including:
1. A cross-site scripting vulnerability.
2. Multiple HTML-injection vulnerabilities.
3. Multiple cross-site request forgery vulnerabilities.
The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. The attacker may also be perform certain administrative functions and delete arbitrary files. Other attacks are also possible.
Solution
A third party patch is available. Please see the references for details.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability
- Apache Struts Cross Site Scripting Vulnerability
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
- Apache Struts2/XWork Remote Command Execution Vulnerability