PT-2017-13570 · Afterlogic · Afterlogic Webmail Pro+1

Published

2017-09-19

Updated

2017-09-22

CVE-2017-14597

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions AfterLogic WebMail version 7.7 AfterLogic Aurora version 7.7.5

Description The issue concerns an XSS vulnerability in the AdminPanel of AfterLogic WebMail and Aurora. This vulnerability can be exploited via the txtDomainName field in the adminpanel/modules/pro/inc/ajax.php endpoint during the addition of a domain.

Recommendations For AfterLogic WebMail version 7.7, update to a version that includes a fix for this issue. For AfterLogic Aurora version 7.7.5, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the adminpanel/modules/pro/inc/ajax.php endpoint to minimize the risk of exploitation. Avoid using the txtDomainName field in the affected endpoint until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-14597

Affected Products

Afterlogic Aurora

Afterlogic Webmail Pro

PT-2017-13570 · Afterlogic · Afterlogic Webmail Pro+1

CVE-2017-14597

Weakness Enumeration

Related Identifiers

Affected Products

References · 3