Dreammail 5 mail client XSS Vulnerability Jul 22 2016 03:45AM
wwiinngd gmail com
Title: Dreammail 5 mail client XSS Vulnerability
Software : Dreammail

Software Version : v5.16

Vendor: www.dreammail.org

Vulnerability Published : 2016-03-21

Email:wwiinngd (at) gmail (dot) com [email concealed]
Impact : Medium(CVSS2 Base : 4.3, AV:N/AC:M/Au:N/C:N/I:P/A:N)

Bug Description :
DreamMail is an email client application, which allows its users to send, receive, and

manage emails.
Dreammail (ver 5.16) may be compromised by cross-site scripting attacks. Once attackers

send emails attaching specific JavaScript codes, the victims who receive those emails may

lose personal credentials, or the browsers of the victims may be hijacked.

#The email becomes a malicious email when containing the code below.
<img src=x onerror=alert(/xss/) />

Solution :
Using such encode functions as htmlencode() or filtering those certain symbols regarding

JavaScript as well as Html.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus