AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities

AeroMail is prone to multiple remote vulnerabilities, including: 1. A cross-site scripting vulnerability. 2. Multiple HTML-injection vulnerabilities. 3. Multiple cross-site request forgery vulnerabilities. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. The attacker may also be perform certain administrative functions and delete arbitrary files. Other attacks are also possible.
A third party patch is available. Please see the references for details.