Advertisement






Horde IMPs 4.3.7 below cross site scripting vulnerability

CVE Category Price Severity
CVE-2020-12345 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2010-10-06
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 0 0

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010090140

Below is a copy:

Hi,

Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)
vulnerability:

The fetchmailprefs.php script fails to properly sanitize user supplied
input to the 'fm_id' URL parameter. If exploited, injected code will be
persistent (persistent XSS) and will execute once the user (manually)
accesses mail fetching preferences.

The following URL can be used as a proof of concept:
> [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create

Prior authentication to IMP is required for immediate exploitation.
Follow-up authentication is also possible if the victims' IMP
configuration has folder maintenance options disabled.

This issue has been fixed by Jan Schneider of the Horde Project:
> http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11

According to him, Horde IMP v4.3.8 (or a release candidate) which fixes
this issue is to be released within the week. Release announcements will
likely be communicated through
http://lists.horde.org/mailman/listinfo/announce

Credits for this discovery:

Moritz Naumann
Naumann IT Security Consulting, Berlin, Germany
http://moritz-naumann.com

Thanks for reading,

Moritz

-- 
Naumann IT Security Consulting
Samariterstr. 16
10247 Berlin
Germany

Web     http://moritz-naumann.com
GPG     http://moritz-naumann.com/keys/0x277F060C.asc
        17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C

Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.