PT-2017-14665 · Stalker · Communigate Pro
Boumediene Kaddour
·
Published
2017-11-27
·
Updated
2017-12-12
·
CVE-2017-16962
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CommuniGate Pro versions prior to 6.2.1
Description
The issue concerns stored XSS vulnerabilities in the WebMail components of CommuniGate Pro, specifically in Crystal, pronto, and pronto4. These vulnerabilities can be exploited through various means, including:
- the location or details field of a Google Calendar invitation,
- a crafted Outlook.com calendar invitation,
- e-mail granting access to a directory with JavaScript in its name,
- JavaScript in a note name,
- JavaScript in a task name,
- HTML e-mail that is mishandled in the Inbox component.
Recommendations
For versions prior to 6.2.1, update to version 6.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebMail components or disabling the handling of HTML e-mail in the Inbox component until a patch is applied. Avoid using JavaScript in directory, note, or task names within the WebMail interface.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Communigate Pro