Stored XSS on Communigate Pro 5.2.14 and prior versions
The Communigate Pro webmail framework is prone to a stored Cross Site
Scripting vulnerability through crafted plain text email messages.
- Affected version:
5.2.14 and prior as reported from Communigate:
This vulnerability can be exploited if an attacker sends a plain text
message to the victim address containing a malicious crafted URL;
the internal parser fails to parse the malicious URL and executes
An attacker may be able to use this vulnerability to steal sensitive
information from a users computer (e.g. current SessionID) or force
the users computer to execute stealed operations.
- Example of crafted URL
Install Communigate Pro 5.2.13
5.2.15 15-Jul-2009: * Bug Fix: WebUser: 5.1.2: links in plain text
messages could be processed incorrectly.