Sign-up

ID

VAR-201406-0382


CVE

CVE-2014-3878


TITLE

Ipswitch IMail Server of Web Cross-site scripting vulnerability in client interface

Trust: 0.8

sources: JVNDB: JVNDB-2014-002758

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the web client interface in Ipswitch IMail Server 12.3 and 12.4, possibly before 12.4.1.15, allow remote attackers to inject arbitrary web script or HTML via (1) the Name field in an add new contact action in the Contacts section or unspecified vectors in (2) an Add Group task in the Contacts section, (3) an add new event action in the Calendar section, or (4) the Task section. Ipswitch IMail Server of Web The client interface contains a cross-site scripting vulnerability.By any third party, any Web Script or HTML May be inserted. IPSwitch IMail Server WEB client is prone to multiple HTML-injection vulnerabilities because it fails to sanitize user-supplied input. Attacker supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2014-3878 // JVNDB: JVNDB-2014-002758 // BID: 67830 // VULHUB: VHN-71818

AFFECTED PRODUCTS

vendor:ipswitchmodel:imail serverscope:eqversion:12.4

Trust: 2.7

vendor:ipswitchmodel:imail serverscope:eqversion:12.3

Trust: 2.4

sources: BID: 67830 // JVNDB: JVNDB-2014-002758 // CNNVD: CNNVD-201406-063 // NVD: CVE-2014-3878

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3878
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-3878
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201406-063
value: MEDIUM

Trust: 0.6

VULHUB: VHN-71818
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-3878
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-71818
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-71818 // JVNDB: JVNDB-2014-002758 // CNNVD: CNNVD-201406-063 // NVD: CVE-2014-3878

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-71818 // JVNDB: JVNDB-2014-002758 // NVD: CVE-2014-3878

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-063

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201406-063

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002758

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-71818

PATCH
title:Top Pageurl:http://www.imailserver.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002758

EXTERNAL IDS
db:NVDid:CVE-2014-3878
Trust: 2.8
db:PACKETSTORMid:126948
Trust: 1.9
db:EXPLOIT-DBid:33633
Trust: 1.7
db:BIDid:67830
Trust: 1.4
db:SECTRACKid:1030335
Trust: 1.1
db:JVNDBid:JVNDB-2014-002758
Trust: 0.8
db:CNNVDid:CNNVD-201406-063
Trust: 0.7
db:SEEBUGid:SSVID-86838
Trust: 0.1
db:VULHUBid:VHN-71818
Trust: 0.1
sources:
            
            
            VULHUB: VHN-71818 // 
            
            
            
            BID: 67830 // 
            
            
            
            JVNDB: JVNDB-2014-002758 // 
            
            
            
            CNNVD: CNNVD-201406-063 // 
            
            
            
            NVD: CVE-2014-3878

REFERENCES
url:http://packetstormsecurity.com/files/126948/ipswitch-imail-12.4-cross-site-scripting.html
Trust: 1.9
url:http://www.exploit-db.com/exploits/33633
Trust: 1.7
url:http://www.securityfocus.com/bid/67830
Trust: 1.1
url:http://seclists.org/fulldisclosure/2014/jun/19
Trust: 1.1
url:http://www.securitytracker.com/id/1030335
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3878
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3878
Trust: 0.8
url:http://www.ipswitch.com/products/imail_server/index.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-71818 // 
            
            
            
            BID: 67830 // 
            
            
            
            JVNDB: JVNDB-2014-002758 // 
            
            
            
            CNNVD: CNNVD-201406-063 // 
            
            
            
            NVD: CVE-2014-3878

CREDITS
Peru
Trust: 0.3
sources:
            
            
            BID: 67830

SOURCES
db:VULHUBid:VHN-71818
db:BIDid:67830
db:JVNDBid:JVNDB-2014-002758
db:CNNVDid:CNNVD-201406-063
db:NVDid:CVE-2014-3878

LAST UPDATE DATE
2025-04-13T23:39:10.309000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-71818date:2015-08-31T00:00:00
db:BIDid:67830date:2014-06-04T00:00:00
db:JVNDBid:JVNDB-2014-002758date:2014-06-06T00:00:00
db:CNNVDid:CNNVD-201406-063date:2014-06-06T00:00:00
db:NVDid:CVE-2014-3878date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-71818date:2014-06-05T00:00:00
db:BIDid:67830date:2014-06-04T00:00:00
db:JVNDBid:JVNDB-2014-002758date:2014-06-06T00:00:00
db:CNNVDid:CNNVD-201406-063date:2014-06-06T00:00:00
db:NVDid:CVE-2014-3878date:2014-06-05T17:55:06.807