CoreMail XT3.0 Cross Site Scripting

2015.12.01

Credit: shack.li

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Application: CoreMail
Versions Affected: XT3.0
Vendor URL: http://www.coremail.cn/
Bugs: Stored XSS
Author:shack.li(DBAPPSecurity Ltd)
Description:
Coremail mail system was born in 1999, is widely used in network operators, large enterprises, government institutions, colleges and universities and other mail systems, so far, the user has more than 700000000,the official website.
Vulnerability details?
Create a document, insert a hyperlink, hyperlink for executing the JavaScript test code "javascript:alert ()".
Then create a mail and upload attachments, and then send them to the other users who need them. When other users online preview documents, click the hyperlink, Attack code will be executed.
---------------------------------------------
E-mail?shack.li@dbappsecurity.com.cn
DBAppSecurity Ltd
www.dbappsecurity.com.cn

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CoreMail XT3.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.