Cross site scripting in compose, draft & HTML mail viewing
- Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php. This has been addressed in 1.4.9.
Cross site scripting via a shortcoming in the magicHTML filter. This has been addressed in 1.4.9 and improved in 1.4.9a.
- Affected Versions:
- 1.4.0 - 1.4.9
- Register Globals:
- Register_globals does not have to be on for this issue.
- CVE ID(s):
- view patch
- Thanks go to Martijn Brinkers for his continuous research that uncovered these problems.
- This page last updated:
- 2006-12-04 09:30:18