CVE-2007-4172 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Open Webmail (OWM) 2.52 20060831 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) searchtype (2) longpage and (3) page parameters to (a) openwebmail-main.pl; the (4) prefs_caller (5) userfirsttime (6) page (7) sort (8) folder and (9) message_id parameters to (b) openwebmail-prefs.pl; the (10) compose_caller (11) msgdatetype (12) keyword (13) searchtype (14) folder (15) page and (16) sort parameters to (c) openwebmail-send.pl; the (17) folder (18) page and (19) sort parameters to (d) openwebmail-folder.pl; the (20) searchtype (21) page (22) filesort (23) singlepage (24) showhidden (25) showthumbnail and (26) message_id parameters to (e) openwebmail-webdisk.pl; the (27) folder parameter to (f) openwebmail-advsearch.pl; and the (28) abookcollapse (29) abooksearchtype (30) abooksort (31) abooklongpage (32) abookpage (33) message_id (34) searchtype (35) msgdatetype (36) sort (37) page (38) rootxowmuid and (39) listviewmode parameters to (g) openwebmail-abook.pl different vectors than CVE-2005-2863 CVE-2006-2190 CVE-2006-3229 and CVE-2006-3233.

Reference

http://pridels-team.blogspot.com/2007/08/openwebmail-multiple-xss-vuln.html http://securityreason.com/securityalert/2965 http://www.securityfocus.com/bid/25175 https://exchange.xforce.ibmcloud.com/vulnerabilities/35754