Merak Webmail XSS

Type

Merak – Webmail XSS Vulnerability

Severity

High

Affected products

Merak

Date

2007-09-17

CVE Reference

The Merak Mail Server provides a web based interface called IceWarp which allows users to send and retrieve emails using a web browser. However, email content is not sufficiently sanitised which can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned two session IDs. An attacker could harvest these sessions IDs by sending specially crafted emails to users. The session IDs would be transmitted to the attacker when the users opened the malicious emails. With this information the attacker would be able to gain access to the users accounts.