We have discovered a vunerability in Zoho Virtual Office.
Malformed HTML message could lead to XSS Attack. It can cause a cookie
theft leading to session hijacking.
browser's frame into evil script on attacker's server.
evil.php file contains code which saves cookie variables on evil server.
attacker can prepare cookie and hijack the user's session.
Affected version: 3.2 Build 3210 (latest), previous versions might
also be vulnerable.
Vendor was contacted 72 hours ago.
marc & shb