CVE-2004-1418

Vulnerability

WPKontakt version 3.0.1 and earlier, an instant messaging application from Wirtualna Polska, contains a cross‑site scripting (XSS) vulnerability in message parsing [1]. When an attacker supplies a specially crafted e‑mail address that is not properly quoted during the parsing step, the application generates a parsing error that leaves the embedded script exposed. The vulnerability is similar to earlier issues found in GG and Tlen.pl [1].

Exploitation

The attacker sends an e‑mail address containing a crafted string, such as test@"style="background-image:url(javascript:alert(1))".wp.pl, to a user of the affected WPKontakt version [1]. No authentication or special privileges are required; the attacker only needs the ability to deliver a message to the victim. When the message is processed and the parsing error occurs, the injected script executes without further user interaction [1].

Impact

Successful exploitation results in arbitrary web script or HTML execution in the context of the Internet Zone (typically the browser’s Local Machine Zone for Internet Explorer) [1]. An attacker can steal cookies, modify page content, or perform other actions on the victim’s machine that the browser’s zone permissions allow, potentially leading to remote compromise of the user’s session.

Mitigation

According to the vendor advisory, users should upgrade to WPKontakt version 3.0.1p1, which was released shortly after the disclosure [1]. No workaround is described for versions earlier than 3.0.1p1. The vulnerability does not appear on the CISA KEV list.