HGiga MailSherlock - XSS -2

Vulnerability

HGiga MailSherlock is vulnerable to cross-site scripting (XSS) due to insufficient validation of user-supplied parameters on multiple login pages. Affected products include iSherlock MSR45 and SSR45 with system packages iSherlock-user-4.5 prior to version 120 and iSherlock-antispam-4.5 prior to version 133 [1].

Exploitation

An unauthenticated attacker can craft a malicious URL containing JavaScript payloads in the parameter values. By tricking a victim into visiting such a URL (e.g., via phishing), the attacker can inject arbitrary script code into the context of the user's browser session with the MailSherlock application [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS score is 7.0 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L [1].

Mitigation

HGiga has released fixed packages: update to iSherlock-user-4.5-120.i386.rpm and iSherlock-antispam-4.5-133.i386.rpm for the affected system versions [1]. No workarounds are documented; applying the patch is the recommended mitigation.