[原文]Cross-site scripting (XSS) vulnerability in PSCS VPOP3 Web Mail server 2.0e and 2.0f allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to the admin/index.html page.
It has been reported that PSCS VPOP3 Email Server may be prone to a cross-site scripting vulnerability that may allow a remote attacker to embed malicious HTML and script code in a link. The issue is reported to be present in the WebAdmin utility of the software because of improper sanitization of user-supplied data that will be displayed by the utility.
Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks.
PSCS VPOP3 versions 2.0.0e and 2.0.0f have been reported to be prone to this vulnerability, however other versions may be affected as well.
VPOP3 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the login script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 2.0.0g or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.