CVE-2019-13392

Name of the Vulnerable Software and Affected Versions MindPalette NateMail version 3.0.15

Description A reflected Cross-Site Scripting issue allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application reflects the recipient value if it is not in the NateMail recipient array, which by default is keyed via integers, making any string input invalid.

Recommendations For MindPalette NateMail version 3.0.15, consider validating and sanitizing user input to prevent the reflection of malicious scripts, and ensure the recipient array properly handles string inputs to mitigate the risk of exploitation.