|
Description
|
|
A vulnerability has been discovered in MIMEsweeper for SMTP, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via multiple GET parameters to multiple scripts is not properly sanitised in MSWPMM/Common/Error.aspx before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
List of affected scripts and parameters:
<a href="http://[HOST]/MSWPMM/Common/Reminder.aspx?email
" target="_blank">http://[HOST]/MSWPMM/Common/Reminder.aspx?email
</a>
<a href="http://[HOST]/MSWPMM/Common/NewAccount.aspx?email&ddlCulture&btnCreateAccount&btnCancel
" target="_blank">http://[HOST]/MSWPMM/Common/NewA...reateAccount&btnCancel
</a>
<a href="http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress&tbPassword&cbAutoSignIn&btnSignIn&reason
" target="_blank">http://[HOST]/MSWPMM/Common/Sign...n&btnSignIn&reason
</a>
The vulnerability is confirmed in version 5.4. Other versions may also be affected.
|
