[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2015-6942] CoreMail XT3.0 Stored XSS
From: shack.li <shack.li () dbappsecurity ! com ! cn>
Date: 2015-11-27 1:21:39
Message-ID: 201511270921394770571 () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (text/plain)]
Application: CoreMail
Versions Affected: XT3.0
Vendor URL: http://www.coremail.cn/
Bugs: Stored XSS
Author:shack.li(DBAPPSecurity Ltd)
Description:
Coremail mail system was born in 1999, is widely used in network operators, large enterprises, \
government institutions, colleges and universities and other mail systems, so far, the user has \
more than 700000000,the official website. Create a document, insert a hyperlink, hyperlink for \
executing the JavaScript test code "javascript:alert ()". Then create a mail and upload \
attachments, and then send them to the other users who need them. When other users online \
preview documents, click the hyperlink, Attack code will be executed
step one:
step two:
---------------------------------------------------------------------------------------------------------------------------------- \
E-mail£ºshack.li@dbappsecurity.com.cn
DBAppSecurity Ltd
www.dbappsecurity.com.cn
["Catch(11-26-20-3(11-27-09-18-45).jpg" (image/jpeg)]
["CatchE627(11-26-(11-27-09-18-45).jpg" (image/jpeg)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic