Adamcoke

**Name of the Vulnerable Software and Affected Versions** Postal versions prior to 3.3.5 **Description** Postal is an open source SMTP server. Versions prior to 3.3.5 contain a HTML injection issue that allows unescaped data to be included in the administration interface. The primary method for adding unescaped data is through the `send/raw` method of the API endpoint `/api/v1/send/raw`. This could allow arbitrary HTML to be injected into the page, potentially modifying the page in a misleading way or enabling the execution of unauthorized javascript. **Recommendations** Upgrade to Postal version 3.3.5 or later.