CVE-2013-6229

Atmail Webmail Server 7.0.2 - Cross-Site Scripting via Filter or MailId Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-6229. PoCs published by Vicente Aguilera Diaz.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in Atmail 7.0.2, where user-supplied input is not properly sanitized, allowing arbitrary script execution in the context of the affected site.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Atmail Webmail Server 7.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) filter parameter to index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5 or (2) mailId[] parameter to index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash. NOTE: the view attachment message process vector is already covered by CVE-2013-2585.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Vicente Aguilera Diaz · textwebappsphp
https://www.exploit-db.com/exploits/39079

The provided text describes a cross-site scripting (XSS) vulnerability in Atmail 7.0.2, where user-supplied input is not properly sanitized, allowing arbitrary script execution in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Atmail 7.0.2
No auth needed
Prerequisites: Access to the vulnerable Atmail web interface
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Vicente Aguilera Diaz · textwebappsphp
https://www.exploit-db.com/exploits/39080

The provided text describes a cross-site scripting (XSS) vulnerability in Atmail 7.0.2, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject malicious script code via the 'filter' parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Atmail 7.0.2
No auth needed
Prerequisites: Access to a vulnerable Atmail instance · Ability to craft a malicious URL with XSS payload
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Vicente Aguilera Diaz · textwebappsphp
https://www.exploit-db.com/exploits/39081

The provided text describes a cross-site scripting (XSS) vulnerability in Atmail 7.0.2, where user-supplied input is not properly sanitized, allowing arbitrary script execution in the context of the affected site. The example URL demonstrates the vulnerability by injecting malicious input into the 'mailId' parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Atmail 7.0.2
No auth needed
Prerequisites: Access to a vulnerable Atmail instance
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/530934/100/0/threaded

Scores

EPSS 0.0178
EPSS Percentile 75.6%

Details

CWE
CWE-79
Status published
Products (1)
atmail/atmail 7.0.2
Published Feb 12, 2014
Tracked Since Feb 18, 2026