CVE-2004-2548: XSS
First published: Fri Dec 31 2004(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to inject arbitrary web script or HTML via (a) a URI containing the script, or (b) the username field in the login form. NOTE: it is possible that the first attack vector is resultant from the error message issue (CVE-2004-2547).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NetWin SurgeMail | <=2.0a2 | |
| NetWin SurgeMail | =1.8f | |
| NetWin Webmail | =3.1d | |
| NetWin SurgeMail | =1.8d | |
| NetWin SurgeMail | =1.8b3 | |
| NetWin SurgeMail | =1.8g3 | |
| NetWin SurgeMail | =1.8a | |
| NetWin SurgeMail | =1.9 | |
| NetWin SurgeMail | =1.9b2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0056.html
- http://www.exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt
- http://www.netwinsite.com/surgemail/help/updates.htm
- http://www.securityfocus.com/bid/10483
- http://www.osvdb.org/6746
- http://secunia.com/advisories/11772
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16320
Frequently Asked Questions
What is the severity of CVE-2004-2548?
CVE-2004-2548 is classified as a moderate severity vulnerability due to the potential for cross-site scripting attacks.
How do I fix CVE-2004-2548?
To mitigate CVE-2004-2548, upgrade to NetWin SurgeMail version 2.0c or later and ensure that input is properly sanitized.
What are the affected versions in CVE-2004-2548?
CVE-2004-2548 affects NetWin SurgeMail versions prior to 2.0c and specific versions of WebMail.
Can CVE-2004-2548 be exploited remotely?
Yes, CVE-2004-2548 can be exploited remotely through crafted URIs or by manipulating the username field in the login form.
What type of attacks are associated with CVE-2004-2548?
CVE-2004-2548 is associated with cross-site scripting (XSS) attacks that allow for arbitrary script or HTML injection.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/netwin
- canonical/netwin surgemail
- version/netwin surgemail/2.0a2
- version/netwin surgemail/1.8a
- version/netwin surgemail/1.8b3
- version/netwin surgemail/1.8d
- version/netwin surgemail/1.8f
- version/netwin surgemail/1.8g3
- version/netwin surgemail/1.9
- version/netwin surgemail/1.9b2
- canonical/netwin webmail
- version/netwin webmail/3.1d