Marlow Tannhauser

**Name of the Vulnerable Software and Affected Versions** Synametrics Technologies Xeams versions 4.5 Build 5755 and earlier **Description** The issue allows remote attackers to hijack the authentication of administrators for requests, such as creating an SMTP domain or a user, via a request to "FrontController". It also enables cross-site scripting (XSS) attacks through various parameters, including the `domainname` parameter when creating a new SMTP domain configuration, the `txtRecipient` parameter when creating a new forwarder, the `popFetchServer`, `popFetchUser`, or `popFetchRecipient` parameters when creating a new POP3 Fetcher account, and the Smtp HELO domain in the Advanced Server Configuration. **Recommendations** For Synametrics Technologies Xeams versions 4.5 Build 5755 and earlier, consider disabling access to the "FrontController" endpoint until a patch is available. Restrict the use of parameters `domainname`, `txtRecipient`, `popFetchServer`, `popFetchUser`, `popFetchRecipient`, and the Smtp HELO domain in the Advanced Server Configuration to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoint until the issue is resolved.