CVE-2012-2575

NetWin SurgeMail 6.0a4 - Cross-Site Scripting via IFRAME SRC Attribute

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2575. PoCs published by loneferret.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in SurgeMail 6.0a4 by sending an email with a malicious IFRAME payload. The payload executes JavaScript in the context of the victim's email client when the email is viewed.

Description

Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 6.0a4 allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IFRAME element in the body of an HTML e-mail message.

Exploits (1)

exploitdb WORKING POC VERIFIED

by loneferret · pythonwebappswindows

https://www.exploit-db.com/exploits/20363

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in SurgeMail 6.0a4 by sending an email with a malicious IFRAME payload. The payload executes JavaScript in the context of the victim's email client when the email is viewed.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: SurgeMail 6.0a4

Auth required

Prerequisites: Valid SMTP credentials · Access to the SMTP server

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/20363/

Scores

EPSS 0.0132

EPSS Percentile 67.0%

Details

CWE

CWE-79

Status published

Products (1)

netwin/surgemail 6.0 a4

Published Sep 17, 2012

Tracked Since Feb 18, 2026