Boumediene Kaddour

**Name of the Vulnerable Software and Affected Versions** CommuniGate Pro versions prior to 6.2.1 **Description** The issue concerns stored XSS vulnerabilities in the WebMail components of CommuniGate Pro, specifically in Crystal, pronto, and pronto4. These vulnerabilities can be exploited through various means, including: - the location or details field of a Google Calendar invitation, - a crafted Outlook.com calendar invitation, - e-mail granting access to a directory with JavaScript in its name, - JavaScript in a note name, - JavaScript in a task name, - HTML e-mail that is mishandled in the Inbox component. **Recommendations** For versions prior to 6.2.1, update to version 6.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebMail components or disabling the handling of HTML e-mail in the Inbox component until a patch is applied. Avoid using JavaScript in directory, note, or task names within the WebMail interface.