exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SuperWebMailer 5.50.0.01160 Cross Site Scripting

SuperWebMailer 5.50.0.01160 Cross Site Scripting
Posted Mar 11, 2015
Authored by Jing Wang

SuperWebMailer version 5.50.0.01160 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 11a65aef4c3e0644db801f91caa34067f8f852e9810b45ced9e3cb69e66b0feb

SuperWebMailer 5.50.0.01160 Cross Site Scripting

Change Mirror Download
*SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Security
Vulnerabilities*


Exploit Title: SuperWebMailer /defaultnewsletter.php" HTMLForm Parameter
XSS Security Vulnerabilities
Product: SuperWebMailer
Vendor: SuperWebMailer
Vulnerable Versions: 5.*.0.* 4.*.0.*
Tested Version: 5.*.0.* 4.*.0.*
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor & Product Description:*


*Vendor:*
SuperWebMailer



*Product & Vulnerable Versions:*
SuperWebMailer
5.60.0.01190
5.50.0.01160
5.40.0.01145
5.30.0.01123
5.20.0.01113
5.10.0.00982
5.05.0.00970
5.02.0.00965
5.00.0.00962
4.50.0.00930
4.40.0.00917
4.31.0.00914
4.30.0.00907
4.20.0.00892
4.10.0.00875


*Vendor URL & Download:*
SuperWebMailer can be got from here,
http://www.superwebmailer.de/



*Product Introduction:*
"Super webmail is a web-based PHP Newsletter Software. The web-based PHP
Newsletter Software Super webmail is the optimal solution for the
implementation of a successful e-mail marketing."

"To use the online PHP Newsletter Script is your own website / server with
PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required.
Once installed, the online newsletter software Super webmail can be served
directly in the browser. The PHP Newsletter Tool Super webmail can
therefore be used platform-independent all operating systems such as
Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP
Newsletter Script allows you to manage your newsletter recipients including
registration and deregistration from the newsletter mailing list by
double-opt In, Double Opt-Out and automatic bounce management. Send online
your personalized newsletter / e-mails in HTML and Text format with
embedded images and attachments immediately in the browser or by CronJob
script in the background immediately or at a later. With the integrated
tracking function to monitor the success of the newsletter mailing, if
thereby the openings of the newsletter and clicks on links in the
newsletter graphically evaluated and presented. Put the integrated
autoresponder to autorun absence messages or the receipt of e-mails to
confirm."

"It is now included CKEditor 4.4.7. An upgrade to the latest version is
recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from
immediately contains new chart component for the statistics that do not
need a flash and are therefore also represented on Apple devices. For the
Newsletter tracking statistics is now an easy print version of the charts
available that can be printed or saved with PDF printer driver installed in
a PDF file. When viewing the e-mails in the mailing lists of the sender of
the email is displayed in a column that sent the e-mail to the mailing
list. For form creation for the newsletter subscription / cancellation are
now available variant"





*(2) Vulnerability Details:*
SuperWebMailer web application has a security bug problem. It can be
exploited by XSS attacks. This may allow a remote attacker to create a
specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server. Other bug hunter researchers have found other XSS
vulnerabilities related to it before and SuperWebMailer has patched them.


*(2.1) *The code programming flaw occurs at "defaultnewsletter.php" page
with "&HTMLForm" parameters.








*References:*
http://tetraph.com/security/xss-vulnerability/superwebmailer-5-50-0-01160-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/superwebmailer-550001160-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/superwebmailer-5-50-0-01160-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/superwebmailer-5-50-0-01160-xss-cross-site-scripting-security-vulnerabilities/
https://webtechwire.wordpress.com/2015/03/10/superwebmailer-5-50-0-01160-xss-cross-site-scripting-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2
https://cxsecurity.com/issue/WLB-2015030043






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close