Dreammail 5 mail client XSS Vulnerability

From: wwiinngd@gmail.com
To: bugtraq@securityfocus.com
Subject: Dreammail 5 mail client XSS Vulnerability

Title: Dreammail 5 mail client XSS Vulnerability
Software : Dreammail 

Software Version : v5.16

Vendor: www.dreammail.org

Vulnerability Published : 2016-03-21

Impact : Medium(CVSS2 Base : 4.3, AV:N/AC:M/Au:N/C:N/I:P/A:N)

Bug Description :
DreamMail is an email client application, which allows its users to send, receive, and 

manage emails.
Dreammail (ver 5.16) may be compromised by cross-site scripting attacks. Once attackers 

send emails attaching specific JavaScript codes, the victims who receive those emails may 

lose personal credentials, or the browsers of the victims may be hijacked. 

#The email becomes a malicious email when containing the code below.
<img src=x onerror=alert(/xss/) />

Solution :
Using such encode functions as htmlencode() or filtering those certain symbols regarding 

JavaScript as well as Html.

Copyright © 1995-2018 LinuxRocket.net. All rights reserved.