Description
Cross-site scripting (XSS) vulnerability in kmMail 1.0, 1.0a, and 1.0b allows remote attackers to inject arbitrary web script or HTML via (1) javascript in onmouseover or other attributes in "safe" HTML tags such as the "b" tag, or (2) the Subject field.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Ulf Harnhammar · textwebappsphp
https://www.exploit-db.com/exploits/21956
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://sourceforge.net/forum/forum.php?forum_id=191501
Patch vdb-entry
x_refsource_xf
http://www.iss.net/security_center/static/9507.php
Mailing List mailing-list
x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2002-October/002207.html
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/5173
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/6013
Scores
EPSS
0.0113
EPSS Percentile
78.5%
Details
CWE
CWE-79
Status
published
Products (3)
kmmail/kmmail
1.0
kmmail/kmmail
1.0a
kmmail/kmmail
1.0b
Published
Dec 31, 2002
Tracked Since
Feb 18, 2026