CVE-2004-2494
Description
Cross-site scripting in Ability Mail Server 1.18's _error script allows remote injection of arbitrary web script via erromsg parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Ability Mail Server 1.18's _error script allows remote injection of arbitrary web script via erromsg parameter.
Vulnerability
Ability Mail Server version 1.18 includes a cross-site scripting (XSS) vulnerability in the _error script. The erromsg parameter is not sanitized before being reflected in the error page, allowing injection of arbitrary HTML and JavaScript. [1]
Exploitation
An attacker can craft a URI containing malicious script in the erromsg parameter. No authentication is required; the attacker only needs to convince a victim to visit the crafted URL, for example via email or a link. The injected script executes in the context of the victim's browser against the Ability Mail Server domain.
Impact
Successful exploitation enables arbitrary web script or HTML injection, potentially leading to session hijacking, credential theft, or defacement. The attacker gains the ability to perform actions on behalf of the victim within the mail server's web interface.
Mitigation
Upgrade to a patched version of Ability Mail Server beyond 1.18. As of the CVE publication (2004), no specific patch version is detailed in available references; administrators should consult the vendor for updated software. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.18
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- members.lycos.co.uk/r34ct/main/Ability_mail_server_1.18.txtnvdExploitVendor Advisory
- secunia.com/advisories/12039nvdExploitVendor Advisory
- securitytracker.com/idnvdExploitVendor Advisory
- www.osvdb.org/7718nvdExploit
- www.securityfocus.com/bid/10695nvdExploit
- exchange.xforce.ibmcloud.com/vulnerabilities/16676nvd
News mentions
0No linked articles in our index yet.