lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55AE2137.3090505@axigen.com>
Date: Tue, 21 Jul 2015 13:38:47 +0300
From: Ioan Indreias <ioan.indreias@...gen.com>
To: bugtraq@...urityfocus.com
Subject: CVE-2015-5379: Axigen XSS vulnerability for html attachments

CVEID: CVE-2015-5379

SUBJECT: Axigen XSS vulnerability for html attachments

DESCRIPTION: Axigen's WebMail Ajax interface implements a view
attachment function that executes javascript code that is part of email
HTML attachments.
This allows a malicious user to craft email messages that could expose
an Axigen WebMail Ajax user to cross site scripting or other attacks
that rely on arbitrary javascript code running within a trusted domain.

Axigen versions starting with 9.0 address this issue by limiting the
attachment types that are loaded in the browser.
For earlier Axigen versions patches are available on the Axigen support
channel.

Affected Products and Versions: Axigen Mail Server [1] 8.x versions

Vendor Internal ID: AXI-CVE-20150601

Vendor security advisory : [2]

Reported by: An anonymous researcher working with Beyond Security's
SecuriTeam Secure Disclosure program [3]

[1] https://www.axigen.com
[2] 
https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html
[3] http://www.beyondsecurity.com/ssd.html


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4257 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ