A friend and customer recently made a discovery about Interspire Email Marketer that is concerning. He already shared the details on the official customer forum but I’m reposting here.
Wanted to let you all know that IEM, even the current version 6.1.7, has an XSS (cross-site scripting) vulnerability that could allow anyone to use your IEM site’s install as a way to do malicious things like trick people into downloading malware, ransomware, etc.
an opening bracket “<“
some JS code to do something
a closing bracket “>”
This vulnerability does not put your IEM install data or control at risk, it means your IEM install can be used to exploit others. If you are not concerned about your IEM instance being used to exploit others, then ignore this posting.
I am fairly technical but not actually a programmer so I don’t fully understand this vulnerability… but my colleagues who are told me that this stems from the fact that IEM is not properly quoting data entered by the user when reflecting it back to them. Specifically, it comes from the %%PAGE%% substitutions they are doing without quoting %%PAGE%%. This is present in a number of pages across the software, but the worst offenders are
I reported it to IEM support and they mentioned they already had it in their internal bug tracker, so hopefully they fix it in a release coming soon. In the meantime if you want to fix yourself, comment out the culprit form tag and re-write it excluding the “%%PAGE%%” parameter. For example in “admin/com/templates/login.tpl”