Products: IMail Server Plus, IMail Server Premium, IMail Server

Cross Site Scripting Vulnerability v12

« Go Back


A Cross Site Scripting (XSS) vulnerability was discovered within the IMail web interface by an anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program

This vulnerability could allow an attacker to inject XSS into an email to extract information about the web session, then possibly hijack the session and take over the user's account.

We would like to thank them for letting us know about this vulnerability.

This XSS vulnerability DOES NOT affect versions prior to 12.0. 
We have a patch that will correct this vulnerability and you may handle it in one of two ways:
Option Number 1: If you ARE NOT CURRENTLY running Imail version 12.5.3: Download and upgrade IMail to version from this link.

Option Number 2:  If you Are Currently on IMail version 12.5.3, you may download the new WebClient v2 zip file from this link and follow these steps, or use Option 1.
  1. Download and save the zip file to your server
  2. Stop the World Wide Publishing Service in Windows Services
  3. Rename the ...\IMail\WebDir\WebClient v2 directory to something else
  4. Unzip the new WebClient v2 into the ...\IMail\WebDir directory
    Note: If you have customized or branded the web interface, copy .\IMail\WebDir\WebClient v2\Login\DomainBranding from the old directory to the new.
  5. Ensure the Windows Permissions are set on the new folder
    • Right mouse click on WebClient v2 folder and select properties
    • Click on the Security Tab
    • Click the Advanced button
    • Make sure inherit from parent is selected
    • Click OK to close properties windows
  6. Restart the World Wide Web Publishing Service
  7. Test Web Mail
Version12.0; 12.1; 12.2; 12.3; 12.4; 12.5; 12.5.1; 12.5.2; 12.5.3

Customer Service Softwaresalesforce.comHome | Product