CVE-2015-6942

Vulnerability

Coremail XT3.0 contains a stored cross-site scripting vulnerability in the document preview functionality. An attacker can create a document with a hyperlink containing JavaScript code (e.g., javascript:alert(1)), attach the document to an email, and send it to other users. When the recipient previews the document online and clicks the hyperlink, the script executes in the context of their browser. This affects all versions of Coremail XT3.0 [1].

Exploitation

To exploit this vulnerability, an attacker needs the ability to compose and send emails with attachments. The attacker creates a document, inserts a hyperlink with a JavaScript payload, saves it, and attaches it to an email. The email is then sent to the target. When the target opens the email, clicks on the attachment to preview the document, and subsequently clicks the malicious hyperlink, the attacker-supplied JavaScript executes. User interaction is required (clicking the hyperlink) [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of sensitive data, defacement of the web interface, or other client-side attacks within the context of the victim's session [1].

Mitigation

As of the disclosure in [1], no official patch has been released by Coremail. Users should disable document preview functionality if possible, or avoid clicking hyperlinks in previewed documents. Administrators may consider implementing Content Security Policy (CSP) headers to mitigate the impact of XSS. Given the age of the vulnerability and lack of vendor update, upgrading to a later, unsupported version may not be an option; contacting the vendor for remediation is advised.