Summary
| Detail | |||
|---|---|---|---|
| Vendor | Netwin | First view | 2004-12-31 |
| Product | Surgemail | Last view | 2011-01-07 |
| Version | 1.6b | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:netwin:surgemail | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2011-01-07 | CVE-2010-3201 | Cross-site scripting (XSS) vulnerability in NetWin Surgemail before 4.3g allows remote attackers to inject arbitrary web script or HTML via the username_ex parameter to the surgeweb program. |
| 5 | 2008-06-25 | CVE-2008-2859 | Unspecified vulnerability in the IMAP service in NetWin SurgeMail before 3.9g2 allows remote attackers to cause a denial of service (daemon crash) via unknown vectors related to an "imap command." |
| 9 | 2008-03-25 | CVE-2008-1498 | Stack-based buffer overflow in the IMAP service in NetWin Surgemail 3.8k4-4 and earlier allows remote authenticated users to execute arbitrary code via a long first argument to the LIST command. |
| 7.5 | 2008-02-27 | CVE-2008-1055 | Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in the page parameter. |
| 4.3 | 2004-12-31 | CVE-2004-2548 | Multiple cross-site scripting (XSS) vulnerabilities in NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to inject arbitrary web script or HTML via (a) a URI containing the script, or (b) the username field in the login form. NOTE: it is possible that the first attack vector is resultant from the error message issue (CVE-2004-2547). |
| 2.6 | 2004-12-31 | CVE-2004-2547 | NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attackers to obtain sensitive information via HTTP requests that (a) specify the / URI, (b) specify the /scripts/ URI, or (c) specify a non-existent file, which reveal the path in an error message. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 33% (1) | CWE-134 | Uncontrolled Format String |
| 33% (1) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 33% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 68323 | SurgeMail SurgeWeb /surgeweb username_ex Parameter XSS |
| 46434 | SurgeMail IMAP APPEND Command Handling Unspecified DoS |
| 43853 | SurgeMail IMAP Service LIST Command Argument Handling Remote Overflow |
| 42981 | SurgeMail webmail.exe page Variable Remote Format String |
| 6746 | SurgeMail/WebMail Login Form XSS |
| 6745 | SurgeMail/WebMail Error Message Path Disclosure |
OpenVAS Exploits
| id | Description |
|---|---|
| 2011-01-18 | Name : SurgeMail SurgeWeb Cross Site Scripting Vulnerability File : nvt/gb_surgemail_surgeweb_xss_vuln.nasl |
| 2010-10-05 | Name : SurgeMail SurgeWeb Cross Site Scripting Vulnerability File : nvt/gb_surgemail_43679.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | SurgeMail webmail.exe page format string exploit attempt RuleID : 21609 - Type : SERVER-WEBAPP - Revision : 6 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2010-10-04 | Name: The remote web server is affected by a cross-site scripting vulnerability. File: surgemail_surgeweb_xss.nasl - Type: ACT_ATTACK |
| 2008-06-30 | Name: The remote mail server is prone to denial of service attacks. File: surgemail_imap_command_unspecified_dos.nasl - Type: ACT_GATHER_INFO |
