CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4172
https://notcve.org/view.php?id=CVE-2007-4172
Multiple cross-site scripting (XSS) vulnerabilities in Open Webmail (OWM) 2.52 20060831 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) searchtype, (2) longpage, and (3) page parameters to (a) openwebmail-main.pl; the (4) prefs_caller, (5) userfirsttime, (6) page, (7) sort, (8) folder, and (9) message_id parameters to (b) openwebmail-prefs.pl; the (10) compose_caller, (11) msgdatetype, (12) keyword, (13) searchtype, (14) folder, (15) page, and (16) sort parameters to (c) openwebmail-send.pl; the (17) folder, (18) page, and (19) sort parameters to (d) openwebmail-folder.pl; the (20) searchtype, (21) page, (22) filesort, (23) singlepage, (24) showhidden, (25) showthumbnail, and (26) message_id parameters to (e) openwebmail-webdisk.pl; the (27) folder parameter to (f) openwebmail-advsearch.pl; and the (28) abookcollapse, (29) abooksearchtype, (30) abooksort, (31) abooklongpage, (32) abookpage, (33) message_id, (34) searchtype, (35) msgdatetype, (36) sort, (37) page, (38) rootxowmuid, and (39) listviewmode parameters to (g) openwebmail-abook.pl, different vectors than CVE-2005-2863, CVE-2006-2190, CVE-2006-3229, and CVE-2006-3233. Múltiples vulnerabilidades de XSS en Open Webmail (OWM) 2.52 20060831 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) searchtype, (2) longpage y (3) page para (a) openwebmail-main.pl; los parámetros (4) prefs_caller, (5) userfirsttime, (6) page, (7) sort, (8) folder y (9) message_id para (b) openwebmail-prefs.pl; los parámetros (10) compose_caller, (11) msgdatetype, (12) keyword, (13) searchtype, (14) folder, (15) page y (16) sort para (c) openwebmail-send.pl; los parámetros (17) folder, (18) page y (19) sort para (d) openwebmail-folder.pl; los parámetros (20) searchtype, (21) page, (22) filesort, (23) singlepage, (24) showhidden, (25) showthumbnail y (26) message_id parameters para (e) openwebmail-webdisk.pl; el parámetro (27) folder para (f) openwebmail-advsearch.pl; y los parámetros (28) abookcollapse, (29) abooksearchtype, (30) abooksort, (31) abooklongpage, (32) abookpage, (33) message_id, (34) searchtype, (35) msgdatetype, (36) sort, (37) page, (38) rootxowmuid y (39) listviewmode para (g) openwebmail-abook.pl, diferentes vectores a CVE-2005-2863, CVE-2006-2190, CVE-2006-3229 y CVE-2006-3233. • http://pridels-team.blogspot.com/2007/08/openwebmail-multiple-xss-vuln.html http://securityreason.com/securityalert/2965 http://www.securityfocus.com/bid/25175 https://exchange.xforce.ibmcloud.com/vulnerabilities/35754 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2006-3233
https://notcve.org/view.php?id=CVE-2006-3233
Cross-site scripting (XSS) vulnerability in openwebmail-read.pl in Open WebMail (OWM) 2.52, and other versions released before 06/18/2006, allows remote attackers to inject arbitrary web script or HTML via the from field. NOTE: some third party sources have mentioned the "to" and "from" fields, although CVE analysis shows that these are associated with the previous version, a different executable, and a different CVE. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en openwebmail-read.pl en Open WebMail (OWM) v2.52, y otras versiones relacionadas anteriores a 06/18/2006, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo from. NOTA: terceras partes han mencionado los campos "to" y "from", aunque los análisis CVE muestran que éstos están asociados con la versión previa, un ejecutable diferente, y una CVE diferente • http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/openwebmail-read.pl?rev1=236%3Brev2=237 http://openwebmail.org/openwebmail/doc/changes.txt http://secunia.com/advisories/20714 http://www.attrition.org/pipermail/vim/2006-June/000902.html http://www.securityfocus.com/bid/18598 http://www.vupen.com/english/advisories/2006/2485 https://exchange.xforce.ibmcloud.com/vulnerabilities/27309 •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2006-3229
https://notcve.org/view.php?id=CVE-2006-3229
Cross-site scripting (XSS) vulnerability in Open WebMail (OWM) 2.52, and other versions released before 05/12/2006, allows remote attackers to inject arbitrary web script or HTML via the (1) To and (2) From fields in openwebmail-main.pl, and possibly (3) other unspecified vectors related to "openwebmailerror calls that need to display HTML." Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Open WebMail (OWM) v2.52, otras versiones lanzadas con anteriorioridad a 12/05/2006, permite a atacantes remotos inyectar código web o HTML a través de los campos (1)A: y (2) Desde: en openwebmail-main.pl, y probablemente (3) otros vectores no especificados relacionados con llamadas "openwebmailerror que necesitan mostrar HTML." • http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/openwebmail-main.pl?rev1=235%3Brev2=236 http://openwebmail.org/openwebmail/doc/changes.txt http://secunia.com/advisories/20714 http://www.attrition.org/pipermail/vim/2006-June/000902.html https://exchange.xforce.ibmcloud.com/vulnerabilities/27309 •
CVSS: 6.8EPSS: 5%CPEs: 17EXPL: 1CVE-2006-2190
https://notcve.org/view.php?id=CVE-2006-2190
Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter in (1) openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3) openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5) openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl, and (8) openwebmail-webdisk.pl. NOTE: the openwebmail-main.pl vector is already covered by CVE-2005-2863. • http://openwebmail.acatysmoof.com/archive/html/owm-announce/owm-announce.200605/msg00000.html http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/shares/ow-shared.pl?rev1=232%3Brev2=233 http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/log/trunk/?rev=233&limit=33 http://pridels0.blogspot.com/2006/04/open-webmail-251-xss-vuln.html http://secunia.com/advisories/16734 https://exchange.xforce.ibmcloud.com/vulnerabilities/26105 •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2005-1435
https://notcve.org/view.php?id=CVE-2005-1435
Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. • http://secunia.com/advisories/15225 http://securitytracker.com/id?1013859 http://sourceforge.net/forum/message.php?msg_id=3128678 •