Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) does not send the "attachment" parameter in the Content-Disposition field for attachments, which causes the attachment to be rendered inline by Internet Explorer when the victim clicks the download link, which facilitates cross-site scripting (XSS) and possibly other attacks.
References
Configurations
Configuration 1 (hide)
|
History
23 Jul 2021, 15:12
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:* |
Information
Published : 2004-12-31 05:00
Updated : 2024-02-04 16:52
NVD link : CVE-2004-2704
Mitre link : CVE-2004-2704
CVE.ORG link : CVE-2004-2704
JSON object : View
Products Affected
hastymail
- hastymail
microsoft
- internet_explorer
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')