CVE-2012-2573

Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3.2.0-2.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) an ONLOAD attribute of a BODY element, (5) a crafted SRC attribute of an IFRAME element, (6) a crafted CONTENT attribute of an HTTP-EQUIV="refresh" META element, or (7) a data: URL in the CONTENT attribute of an HTTP-EQUIV="refresh" META element.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.exploit-db.com/exploits/20364/	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:tdah:t-day_webmail:3.2.0-2.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-08-12 21:55

Updated : 2024-02-04 18:16

NVD link : CVE-2012-2573

Mitre link : CVE-2012-2573

CVE.ORG link : CVE-2012-2573

JSON object : View

Products Affected

tdah

t-day_webmail

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2012-2573", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2012-08-12T21:55:01.120", "references": [{"url": "http://www.exploit-db.com/exploits/20364/", "tags": ["Exploit"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3.2.0-2.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) an ONLOAD attribute of a BODY element, (5) a crafted SRC attribute of an IFRAME element, (6) a crafted CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element, or (7) a data: URL in the CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en T-dah WebMail v3.2.0-2.3 permite a atacantes remotos inyectar c\u00f3digo web arbitrario o html a trav\u00e9s del cuerpo de un mensaje de correo electr\u00f3nico con (1) un elemento SCRIPT, (2) una expresi\u00f3n manipulada de una propiedad en una hoja de estilos (CSS) (3) una (3) expresi\u00f3n de una propiedad CSS en el atributo STYLE de un elemento arbitrario, (4) un atributo ONLOAD de un elemento BODY, (5) un atributo SRC de un elemento IFRAME manipulado, (6) un atributo CONTENT manipulado de un elemento META con HTTP-EQUIV = \"refresh\", o (7) a los datos: direcci\u00f3n URL en el atributo CONTENT de un elemento META con HTTP-EQUIV = \"refresh\"."}], "lastModified": "2012-08-13T04:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tdah:t-day_webmail:3.2.0-2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "821A7CC9-12C2-4E3A-8B5F-80470F4C16E5"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}