Cross-site scripting (XSS) vulnerability in Dada Mail before 2.10 Alpha 1 allows remote attackers to execute arbitrary Javascript via archived messages.