Overview
A script injection vulnerability exists in Yahoo! Mail.
Description
Yahoo! Mail is vulnerable to script injection. Specifically, Yahoo! Mail fails to properly filter the body of email messages for script code. If a remote attacker can persuade a user to open a specially crafted email message, that attacker may be able to execute arbitrary script in the security context of victim user on the client system. Note that exploit code for this vulnerability is publicly available. |
Impact
An attacker may be able to obtain sensitive data from a Yahoo! Mail account. This data could include cookies, email messages, and email addresses stored in the Yahoo Mail address book. |
Solution
Yahoo is addressing this issue by filtering Yahoo! Mail email for suspicious content. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by David Loyall.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | None |
| Severity Metric: | 17.48 |
| Date Public: | 2006-06-11 |
| Date First Published: | 2006-06-14 |
| Date Last Updated: | 2006-08-24 12:58 UTC |
| Document Revision: | 44 |