Due to a lack of overall input validation, an authenticated user can inject JavaScript Cross Site Scripting payloads into fields in IVM to create stored or reflected XSS conditions.
Cross Site Scripting (XSS)
NCH Software
IVM Attendant v5.12 and earlier
Remote
Yes
Mailbox name (stored)
/ogmlist?folder= (reflected)
/ogmprop?id= (reflected)
/msglist?mbx= (reflected)