Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .
NOCC is a web based email client implemented in PHP4. It includes support for POP3, SMTP and IMAP servers, MIME attachments and multiple languages.
A script injection issue has been reported with the way emails are displayed to users of NOCC webmail. A malicious attacker can include script code in an email and potentially get full access to a victim's mailbox.
This will show the victim's session id.
NOCC contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the content of an email when a user views the email. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Currently, there are no known workarounds or upgrades to correct this issue. However, NOCC has released a patch to address this vulnerability.