|
Description
|
|
Multiple vulnerabilities have been reported in @Mail Server, which can be exploited by malicious users to conduct script insertion attacks.
1) Input passed via the "UserFirstName" and "UserLastName" parameters to index.php/admin/users/create or index.php/admin/users/update is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation of this vulnerability requires permissions to create or edit users.
2) Input passed via the range and index values is not properly sanitised before being used in the log search functionality. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
The vulnerabilities are reported in version 6.30.4. Other versions may also be affected.
|
