Maximiliano Soler

Name of the Vulnerable Software and Affected Versions: MailBee WebMail Pro versions 3.4 and earlier MailBee WebMail Pro ASP versions prior to 3.4.64 WebMail Lite ASP versions prior to 4.0.11 WebMail Lite PHP versions prior to 4.0.22 Description: The issue allows remote attackers to inject arbitrary web script or HTML via the `mode` parameter to "login.php" and the `mode2` parameter to "default.asp" in an advanced login mode. This can lead to cross-site scripting (XSS) attacks. Recommendations: For MailBee WebMail Pro versions 3.4 and earlier, update to a version later than 3.4. For MailBee WebMail Pro ASP versions prior to 3.4.64, update to version 3.4.64 or later. For WebMail Lite ASP versions prior to 4.0.11, update to version 4.0.11 or later. For WebMail Lite PHP versions prior to 4.0.22, update to version 4.0.22 or later. As a temporary workaround, consider restricting access to the "login.php" and "default.asp" files to minimize the risk of exploitation. Avoid using the `mode` and `mode2` parameters in the affected API endpoints until the issue is resolved.