CVE-2015-3141

Name of the Vulnerable Software and Affected Versions Synametrics Technologies Xeams versions 4.5 Build 5755 and earlier

Description The issue allows remote attackers to hijack the authentication of administrators for requests, such as creating an SMTP domain or a user, via a request to "FrontController". It also enables cross-site scripting (XSS) attacks through various parameters, including the domainname parameter when creating a new SMTP domain configuration, the txtRecipient parameter when creating a new forwarder, the popFetchServer, popFetchUser, or popFetchRecipient parameters when creating a new POP3 Fetcher account, and the Smtp HELO domain in the Advanced Server Configuration.

Recommendations For Synametrics Technologies Xeams versions 4.5 Build 5755 and earlier, consider disabling access to the "FrontController" endpoint until a patch is available. Restrict the use of parameters domainname, txtRecipient, popFetchServer, popFetchUser, popFetchRecipient, and the Smtp HELO domain in the Advanced Server Configuration to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoint until the issue is resolved.