Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NetWin Surgemail 4.3e Cross Site Scripting

🗓️ 04 Oct 2010 00:00:00Reported by Kerem KocaerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

NetWin Surgemail 4.3e Cross Site Scripting vulnerability in webmail logi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2010-3201
4 Oct 201000:00
circl
CVE		CVE-2010-3201
7 Jan 201122:00
cve
Cvelist		CVE-2010-3201
7 Jan 201122:00
cvelist
EUVD		EUVD-2010-3200
7 Oct 202500:30
euvd
NVD		CVE-2010-3201
7 Jan 201123:00
nvd
OpenVAS		SurgeMail SurgeWeb Cross Site Scripting Vulnerability
5 Oct 201000:00
openvas
OpenVAS		SurgeMail < 4.3g XSS Vulnerability
5 Oct 201000:00
openvas
OpenVAS		SurgeMail < 4.3g XSS Vulnerability - Active Check
18 Jan 201100:00
openvas
OpenVAS		SurgeMail SurgeWeb Cross Site Scripting Vulnerability
18 Jan 201100:00
openvas
Prion		Cross site scripting
7 Jan 201123:00
prion
Rows per page
`Application NetWin Surgemail 4.3e  
Vendor NetWin - http://netwinsite.com  
  
Discovered by Kerem Kocaer <[email protected]>  
  
Problem  
-------  
Cross-site scripting (XSS) vulnerability in the Surgemail webmail login page  
(/surgemail) allows remote attackers to inject arbitrary web script or HTML.   
  
Input passed to the "username_ex" parameter is not properly sanitised before   
being returned to the user, therefore enabling the execution of arbitrary   
script code in a user's browser session, which can lead to cookie theft and   
session hijacking.   
  
The vulnerability is confirmed to exist in version 4.3e (latest version at   
the date of vulnerability discovery). Previous versions may also be vulnerable.  
  
Exploit  
-------  
http://[address]/surgeweb?username_ex="/><scri<script>alert(document.cookie);</script><input type="hidden  
(tested on Firefox)  
  
Fix  
---  
The vendor has reported fixing the problem in version 4.3g.  
  
Timeline  
--------  
2010-05-13 Notified NetWin (ChrisP.)  
2010-05-13 Received response from NetWin  
2010-05-13 Provided details to NetWin  
2010-05-26 Surgemail patched  
  
Reference  
---------  
CVE Number: CVE-2010-3201  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Oct 2010 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.01884
netwin surgemailcross-site scriptingremote attackhtmlweb scriptcookie theftsession hijackingvulnerable versionexploitsecurity patchcve-2010-3201
30