CVE-2009-4743
published 2010-03-26CVE-2009-4743: Multiple cross-site scripting (XSS) vulnerabilities in history-storage.aspx in AfterLogic WebMail Pro 4.7.10 and earlier allow remote attackers to inject…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.54%
71.7th percentile
Multiple cross-site scripting (XSS) vulnerabilities in history-storage.aspx in AfterLogic WebMail Pro 4.7.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) HistoryStorageObjectName and (2) HistoryKey parameters.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| afterlogic | webmail_pro | <= 4.7.10 | — |
| afterlogic | webmail_pro | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AfterLogic WebMail Pro 4.7.10 - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2009-10-06
CVE-2009-4743 AfterLogic WebMail Pro 4.7.10 - Multiple Cross-Site Scripting Vulnerabilities
AfterLogic WebMail Pro 4.7.10 - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/36605/info
AfterLogic WebMail Pro is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
AfterLogic WebMail Pro 4.7.10 and prior versions are affected.
Exploit-DB
AfterLogic WebMail Pro 4.7.10 - Cross-Site Scripting
exploitdb·2009-10-05
CVE-2009-4743 AfterLogic WebMail Pro 4.7.10 - Cross-Site Scripting
AfterLogic WebMail Pro 4.7.10 - Cross-Site Scripting
---
Security Advisory : Cross-Site Scripting flaw in AfterLogic WebMail Pro
Description
AfterLogic WebMail Pro is vulnerable to Cross-Site Scripting, allowing injection
of malicious code in the context of the application.
Overview
Quote from http://www.afterlogic.com/products/webmail-pro :
"Webmail front-end for your existing POP3/IMAP mail server. Offer your users
the fast AJAX webmail and innovative calendar with sharing. Stay in control
with the admin panel and the developer's API."
Details
Vulnerable Product : AfterLogic WebMail Pro
Solution
The vendor has made available a patched version. Update to AfterLogic
Webmail Pro 4.7.11
No writeups or analysis indexed.
http://osvdb.org/58712http://secunia.com/advisories/36964http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txthttp://www.securityfocus.com/bid/36605https://exchange.xforce.ibmcloud.com/vulnerabilities/53672http://osvdb.org/58712http://secunia.com/advisories/36964http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txthttp://www.securityfocus.com/bid/36605https://exchange.xforce.ibmcloud.com/vulnerabilities/53672
2010-03-26
Published