CERTA-2005-AVI-364

Vulnerability from certfr_avis - Published: 2005-09-27 - Updated: 2005-09-27

Une vulnérabilité de type cross-site scripting est présente dans le composant SqWebMail de Courier.

Description

Courier est un ensemble de services de messagerie comprenant un service de type webmail appelé SqWebMail. Une vulnérabilité de ce dernier permet à un utilisateur distant mal intentionné d'effectuer des attaques de type cross-site scripting par le biais d'un message électronique malicieusement constitué. La vulnérabilité est exploitable uniquement si la victime utilise Internet Explorer pour lire son courrier électronique via le webmail.

Solution

Mettre à jour Courier-SqWebMail en version 5.0.6 :

http://www.courier-mta.org/?download.php

Courier-SqWebMail versions 5.0.4 et antérieures.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eCourier-SqWebMail versions 5.0.4 et  ant\u00e9rieures.\u003c/p\u003e",
  "content": "## Description\n\nCourier est un ensemble de services de messagerie comprenant un service\nde type webmail appel\u00e9 SqWebMail. Une vuln\u00e9rabilit\u00e9 de ce dernier permet\n\u00e0 un utilisateur distant mal intentionn\u00e9 d\u0027effectuer des attaques de\ntype cross-site scripting par le biais d\u0027un message \u00e9lectronique\nmalicieusement constitu\u00e9. La vuln\u00e9rabilit\u00e9 est exploitable uniquement si\nla victime utilise Internet Explorer pour lire son courrier \u00e9lectronique\nvia le webmail.\n\n## Solution\n\nMettre \u00e0 jour Courier-SqWebMail en version 5.0.6 :\n\n    http://www.courier-mta.org/?download.php\n",
  "cves": [],
  "initial_release_date": "2005-09-27T00:00:00",
  "last_revision_date": "2005-09-27T00:00:00",
  "links": [
    {
      "title": "Site de Courier :",
      "url": "http://www.courier-mta.org"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Debian DSA-820 du 24 septembre 2005 :",
      "url": "http://www.debian.org/security/2005/dsa-820"
    },
    {
      "title": "Liste des changements de Courier :",
      "url": "http://www.courier-mta.org/changelog.html"
    },
    {
      "title": "Site de SqWebMail :",
      "url": "http://www.courier-mta.org/sqwebmail/"
    }
  ],
  "reference": "CERTA-2005-AVI-364",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2005-09-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Cross-site scripting"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 de type cross-site scripting est pr\u00e9sente dans le\ncomposant SqWebMail de Courier.\n",
  "title": "Vuln\u00e9rabilit\u00e9 de Courier-SqWebMail",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Changement du 2005-08-26 dans la liste des changements de Courier.",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.