Sign-up

ID

VAR-201403-0309


CVE

CVE-2014-2325


TITLE

Proxmox Mail Gateway Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-001681

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Gateway before 3.1-5829 allow remote attackers to inject arbitrary web script or HTML via the (1) state parameter to objects/who/index.htm or (2) User email address to quarantine/spam/manage.htm. Proxmox Mail Gateway is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Proxmox Mail Gateway 3.1 is vulnerable; other versions may also be affected. The product protects email from viruses, phishing and Trojans

Trust: 1.98

sources: NVD: CVE-2014-2325 // JVNDB: JVNDB-2014-001681 // BID: 66169 // VULHUB: VHN-70264

AFFECTED PRODUCTS

vendor:proxmoxmodel:mail gatewayscope:eqversion:3.0

Trust: 1.6

vendor:proxmoxmodel:mail gatewayscope:eqversion:3.1-5673

Trust: 1.6

vendor:proxmoxmodel:mail gatewayscope:eqversion:3.1-5670

Trust: 1.6

vendor:proxmoxmodel:mail gatewayscope:eqversion:3.1

Trust: 1.6

vendor:proxmoxmodel:mail gatewayscope:lteversion:3.1-5741

Trust: 1.0

vendor:proxmox servermodel:mail gatewayscope:ltversion:3.1-5829

Trust: 0.8

vendor:proxmoxmodel:mail gatewayscope:eqversion:3.1-5741

Trust: 0.6

vendor:proxmoxmodel:server solutions mail gatewayscope:eqversion:3.1

Trust: 0.3

sources: BID: 66169 // JVNDB: JVNDB-2014-001681 // CNNVD: CNNVD-201403-278 // NVD: CVE-2014-2325

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2325
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2325
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201403-278
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70264
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2325
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70264
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70264 // JVNDB: JVNDB-2014-001681 // CNNVD: CNNVD-201403-278 // NVD: CVE-2014-2325

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70264 // JVNDB: JVNDB-2014-001681 // NVD: CVE-2014-2325

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-278

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201403-278

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001681

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-70264

PATCH
title:Proxmox Newsletter, March 2014: Proxmox VE 3.2 releasedurl:http://proxmox.com/news/archive/view/listid-1-proxmox-newsletter/mailid-48-proxmox-newsletter-march-2014-proxmox-ve-3-2-released/tmpl-component
Trust: 0.8
title:Proxmox Mail Gatewayurl:https://www.proxmox.com/proxmox-mail-gateway
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001681

EXTERNAL IDS
db:NVDid:CVE-2014-2325
Trust: 2.8
db:BIDid:66169
Trust: 2.0
db:JVNDBid:JVNDB-2014-001681
Trust: 0.8
db:CNNVDid:CNNVD-201403-278
Trust: 0.7
db:FULLDISCid:20140312 MULTIPLUS XSS IN PROXMOX MAIL GATEWAY 3.1 (CVE-2014-2325)
Trust: 0.6
db:VULHUBid:VHN-70264
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70264 // 
            
            
            
            BID: 66169 // 
            
            
            
            JVNDB: JVNDB-2014-001681 // 
            
            
            
            CNNVD: CNNVD-201403-278 // 
            
            
            
            NVD: CVE-2014-2325

REFERENCES
url:http://proxmox.com/news/archive/view/listid-1-proxmox-newsletter/mailid-48-proxmox-newsletter-march-2014-proxmox-ve-3-2-released/tmpl-component
Trust: 2.0
url:http://www.securityfocus.com/bid/66169
Trust: 1.7
url:http://seclists.org/fulldisclosure/2014/mar/110
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2325
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2325
Trust: 0.8
url:http://proxmox.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-70264 // 
            
            
            
            BID: 66169 // 
            
            
            
            JVNDB: JVNDB-2014-001681 // 
            
            
            
            CNNVD: CNNVD-201403-278 // 
            
            
            
            NVD: CVE-2014-2325

CREDITS
William Costa
Trust: 0.3
sources:
            
            
            BID: 66169

SOURCES
db:VULHUBid:VHN-70264
db:BIDid:66169
db:JVNDBid:JVNDB-2014-001681
db:CNNVDid:CNNVD-201403-278
db:NVDid:CVE-2014-2325

LAST UPDATE DATE
2025-04-13T23:34:12.940000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70264date:2014-03-26T00:00:00
db:BIDid:66169date:2014-03-12T00:00:00
db:JVNDBid:JVNDB-2014-001681date:2014-03-18T00:00:00
db:CNNVDid:CNNVD-201403-278date:2014-03-18T00:00:00
db:NVDid:CVE-2014-2325date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-70264date:2014-03-14T00:00:00
db:BIDid:66169date:2014-03-12T00:00:00
db:JVNDBid:JVNDB-2014-001681date:2014-03-18T00:00:00
db:CNNVDid:CNNVD-201403-278date:2014-03-18T00:00:00
db:NVDid:CVE-2014-2325date:2014-03-14T14:55:04.407