CVE-2012-2573

T-dah WebMail 3.2.0-2.3 - Stored Cross-Site Scripting via Email Message Body

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-2573. PoCs published by Shai rod, loneferret.

AI-analyzed exploit summary This Python script demonstrates multiple stored XSS vulnerabilities in T-dah Webmail 3.2.0 by sending an email with malicious payloads in the body. The payloads include JavaScript injection via <img> tags and <a> tags, which execute when the victim interacts with the email.

Description

Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3.2.0-2.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) an ONLOAD attribute of a BODY element, (5) a crafted SRC attribute of an IFRAME element, (6) a crafted CONTENT attribute of an HTTP-EQUIV="refresh" META element, or (7) a data: URL in the CONTENT attribute of an HTTP-EQUIV="refresh" META element.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Shai rod · pythonwebappsphp
https://www.exploit-db.com/exploits/20579

This Python script demonstrates multiple stored XSS vulnerabilities in T-dah Webmail 3.2.0 by sending an email with malicious payloads in the body. The payloads include JavaScript injection via <img> tags and <a> tags, which execute when the victim interacts with the email.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: T-dah Webmail 3.2.0
No auth needed
Prerequisites: Access to an SMTP server · Valid email credentials for sending the malicious email
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by loneferret · pythonwebappsphp
https://www.exploit-db.com/exploits/20364

This exploit demonstrates a stored XSS vulnerability in T-dah Webmail Client 3.2.0-2.3 by sending an email with a malicious payload. The payload is injected into the email body and executed when the victim views the email.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: T-dah Webmail Client 3.2.0-2.3
Auth required
Prerequisites: Valid SMTP credentials · Access to the target email server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/20364/

Scores

EPSS 0.0134
EPSS Percentile 67.7%

Details

CWE
CWE-79
Status published
Products (1)
tdah/t-day_webmail 3.2.0-2.3
Published Aug 12, 2012
Tracked Since Feb 18, 2026