Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks.
The vulnerability is caused due to SqWebMail allowing usage of e.g. the "<script>" tag within an HTML comment. This, combined with "Conditional Comments" in Internet Explorer, can be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site when a malicious email is viewed.
Successful exploitation requires that the user is using Internet Explorer.
Example in an HTML email:
The vulnerability has been confirmed in version 5.0.4. Prior version may also be affected.
Solution: The vendor has issued an updated version of SqWebMail, which fixes this vulnerability.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com