CVE-2018-18621

Name of the Vulnerable Software and Affected Versions CommuniGate Pro version 6.2

Description The issue allows for stored XSS via a message body in Pronto! Mail Composer. This occurs when the raw email link in .txt format is modified and then renamed with a .html or .wssp extension, which is mishandled in the /MIME/INBOX-MM-1/ endpoint.

Recommendations For CommuniGate Pro version 6.2, consider restricting access to the Pronto! Mail Composer to minimize the risk of exploitation until a fix is available. Avoid using the .html or .wssp extensions for raw email links in the affected endpoint.