lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2015 21:42:20 +0800
From: Jing Wang <>
Subject: [FD] SuperWebMailer XSS (Cross-site Scripting)
	Security Vulnerabilities

*SuperWebMailer XSS (Cross-site Scripting) Security

Exploit Title: SuperWebMailer /defaultnewsletter.php" HTMLForm Parameter
XSS Security Vulnerabilities
Product: SuperWebMailer
Vendor: SuperWebMailer
Vulnerable Versions: 5.*.0.*   4.*.0.*
Tested Version: 5.*.0.*   4.*.0.*
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),

*Advisory Details:*

*(1) Vendor & Product Description:*


*Product & Vulnerable Versions:*

*Vendor URL & Download:*
SuperWebMailer can be got from here,

*Product Introduction:*
"Super webmail is a web-based PHP Newsletter Software. The web-based PHP
Newsletter Software Super webmail is the optimal solution for the
implementation of a successful e-mail marketing."

"To use the online PHP Newsletter Script is your own website / server with
PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required.
Once installed, the online newsletter software Super webmail can be served
directly in the browser. The PHP Newsletter Tool Super webmail can
therefore be used platform-independent all operating systems such as
Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP
Newsletter Script allows you to manage your newsletter recipients including
registration and deregistration from the newsletter mailing list by
double-opt In, Double Opt-Out and automatic bounce management. Send online
your personalized newsletter / e-mails in HTML and Text format with
embedded images and attachments immediately in the browser or by CronJob
script in the background immediately or at a later. With the integrated
tracking function to monitor the success of the newsletter mailing, if
thereby the openings of the newsletter and clicks on links in the
newsletter graphically evaluated and presented. Put the integrated
autoresponder to autorun absence messages or the receipt of e-mails to

"It is now included CKEditor 4.4.7. An upgrade to the latest version is
recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from
immediately contains new chart component for the statistics that do not
need a flash and are therefore also represented on Apple devices. For the
Newsletter tracking statistics is now an easy print version of the charts
available that can be printed or saved with PDF printer driver installed in
a PDF file. When viewing the e-mails in the mailing lists of the sender of
the email is displayed in a column that sent the e-mail to the mailing
list. For form creation for the newsletter subscription / cancellation are
now available variant"

*(2) Vulnerability Details:*
SuperWebMailer web application has a security bug problem. It can be
exploited by XSS attacks. This may allow a remote attacker to create a
specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server. Other bug hunter researchers have found other XSS
vulnerabilities related to it before and SuperWebMailer has patched them.

*(2.1) *The code programming flaw occurs at "defaultnewsletter.php" page
with "&HTMLForm" parameters.


Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists