CVE-2012-3536
Description
Two XSS vulnerabilities in Hupa Webmail allow an attacker to execute JavaScript by sending a crafted email, fixed in version 0.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Two XSS vulnerabilities in Hupa Webmail allow an attacker to execute JavaScript by sending a crafted email, fixed in version 0.0.3.
Vulnerability
Two cross-site scripting (XSS) vulnerabilities were discovered in the Hupa Webmail application, part of the Apache James project. The flaws existed in the message list and message view components. The application used setHTML() instead of setText() when rendering email content, allowing an attacker to inject arbitrary HTML and JavaScript. All versions prior to Hupa 0.0.3 are affected [1][2].
Exploitation
An attacker can send a specially crafted email containing malicious HTML or JavaScript to a Hupa user. When the user opens the email or views the message list, the injected script executes in the context of the Hupa webmail session. No special network position or authentication is required beyond the ability to send an email to the victim [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the Hupa application's origin. This can lead to theft of session cookies, credentials, or other sensitive data, and may enable actions performed on behalf of the victim user [1].
Mitigation
The vulnerabilities were fixed in Hupa 0.0.3, released in June 2012 [3]. Users should upgrade to this version or later. No workarounds are documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james.hupa:hupa-parentMaven | < 0.0.3 | 0.0.3 |
Affected products
2Patches
1aff28a8117a4Fix XSS vulnerability in message list and view
5 files changed · +16 −7
client/src/main/java/org/apache/hupa/client/HupaCallback.java+1 −0 modified@@ -117,5 +117,6 @@ public void onSuccess(T result) { */ public void callbackError(Throwable caught) { System.out.println("HupaCallBack Error: " + caught); + caught.printStackTrace(); } }
client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java+3 −2 modified@@ -363,7 +363,7 @@ public void renderRowValue(Message rowValue, dtformat = DateTimeFormat.getFormat("dd.MMM.yyyy HH:mm"); } - view.setHTML(dtformat.format(rDate)); + view.setText(dtformat.format(rDate)); view.setHorizontalAlignment(HorizontalPanel.ALIGN_RIGHT); } @@ -528,7 +528,7 @@ public void renderRowValue(E rowValue, if (cellValue == null || cellValue.length() < 1) { view.setHTML(" "); } else { - view.setHTML(cellValue); + view.setText(cellValue); } } @@ -791,6 +791,7 @@ public void fillSearchOracle(ArrayList<Message> messages) { } public void setExpandLoading(boolean expanding) { + System.out.println("SSS " + expanding); if (expanding) { loading.show(); } else {
server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java+0 −2 modified@@ -137,8 +137,6 @@ protected MessageDetails mimeToDetails(MimeMessage message, String folderName, l boolean isHTML = handleParts(message, con, sbPlain, attachmentList); - System.out.println(isHTML); - if (isHTML) { mDetails.setText(filterHtmlDocument(sbPlain.toString(), folderName, uid)); } else {
server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java+3 −3 modified@@ -60,9 +60,9 @@ public class RegexPatterns { public static final Pattern regex_unneededTags = Pattern.compile("(?si)(</?(html|body)[^>]*?>)"); public static final String repl_unneededTags = ""; - - public static final String EVENT_ATTR_REGEX = "(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)"; - public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])"); + + public static final String EVENT_ATTR_REGEX = "(?:on[a-z]+)"; + public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)(?:[\"']|\\s+)("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])"); public static final String repl_badAttrs = "$1$4"; public static final Pattern regex_orphandHttpLinks = Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)" + HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)");
server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java+9 −0 modified@@ -85,6 +85,15 @@ public void testRegexBadAttributes() { txt = "... <div attr=a onClick=\"something('');\" attr=b onMouseOver=whatever attr=c onKeyup=\"\" /> ..."; res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); assertEquals("... <div attr=a attr=b attr=c /> ...", res); + + + txt = "... <img src='1.jpg' onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ..."; + res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); + assertEquals("... <img src='1.jpg'> ...", res); + + txt = "... <img src=\"1.jpg\" onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ..."; + res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); + assertEquals("... <img src=\"1.jpg\"> ...", res); } public void testRegexHtmlLinks() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7crp-p2vc-69r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-3536ghsaADVISORY
- svn.apache.org/viewvcghsax_refsource_MISCWEB
- github.com/apache/james-hupa/commit/aff28a8117a49969b0fc8cc9926c19fa90146d8dghsaWEB
- james.apache.org/hupa/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.