CVE-2009-4743

AfterLogic WebMail Pro <4.7.10 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4743. PoCs published by Sébastien Duquette.

AI-analyzed exploit summary This is a proof-of-concept for a stored XSS vulnerability in AfterLogic WebMail Pro. The exploit leverages unsanitized user input in the 'HistoryStorageObjectName' parameter to execute arbitrary JavaScript in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in history-storage.aspx in AfterLogic WebMail Pro 4.7.10 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) HistoryStorageObjectName and (2) HistoryKey parameters.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Sébastien Duquette · htmlwebappsasp
https://www.exploit-db.com/exploits/33268

This is a proof-of-concept for a stored XSS vulnerability in AfterLogic WebMail Pro. The exploit leverages unsanitized user input in the 'HistoryStorageObjectName' parameter to execute arbitrary JavaScript in the context of the affected site.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: AfterLogic WebMail Pro 4.7.10 and prior
No auth needed
Prerequisites: Victim interaction required (e.g., visiting a malicious page or clicking a link)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Sébastien Duquette · textwebappsasp
https://www.exploit-db.com/exploits/9857

This is a working proof-of-concept for a Cross-Site Scripting (XSS) vulnerability in AfterLogic WebMail Pro. The exploit demonstrates how malicious JavaScript can be injected via the 'HistoryStorageObjectName' parameter in the 'history-storage.aspx' page.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: AfterLogic WebMail Pro <= 4.7.10
Auth required
Prerequisites: Target user must be logged into the webmail application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53672
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36605
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36964
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/58712

Scores

EPSS 0.0152
EPSS Percentile 71.4%

Details

CWE
CWE-79
Status published
Products (2)
afterlogic/webmail_pro 4.5
afterlogic/webmail_pro < 4.7.10
Published Mar 26, 2010
Tracked Since Feb 18, 2026