Mojo Mail does not filter HTML tags from URI parameters, making it prone to cross-site scripting attacks.
As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Mojo Mail.
This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.
Mojo Mail, now known as Dada Mail, contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'email' parameter upon submission to the 'mojo.cgi' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Currently, there are no known upgrades, patches or workarounds available to correct this vulnerability.