[原文]Cross-site scripting (XSS) vulnerability in admin.asp in CMailServer 5.2 allows remote attackers to execute arbitrary web script or HTML via personal information fields, such as (1) username, (2) name, or (3) comments.
CMailServer contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate users' details (username, name, comments, etc.) which are displayed in admin.asp. This could allow a malicious user to create specially crafted user details via setpersoninfo.asp that would execute arbitrary code in the WebMail administrator's browser, leading to a loss of integrity.
Upgrade to version 5.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.