Cross-Site Scripting Vulnerability in Openfind Mail2000 Webmail
CVE-2019-9763

6.1MEDIUM

Key Information:

Vendor
Openfind
Status
Mail2000
Vendor
CVE Published:
19 June 2019

Summary

An issue has been identified in Openfind Mail2000 versions 6.0 and 7.0, where an XSS vulnerability can be triggered via an '<object data="data:text/html' substring present in an e-mail message. This flaw could allow attackers to execute arbitrary scripts in the context of the user's session. The vendor has since released patches to mitigate this vulnerability.

References

https://gist.github.com/keniver/1f6092242ee79a8456a86bb76...
x_refsource_MISC
https://www.openfind.com.tw/taiwan/download/m2k/patch/Ope...
x_refsource_CONFIRM
https://www.openfind.com.tw/taiwan/download/m2k/patch/Ope...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.