CVE-2017-5870

Name of the Vulnerable Software and Affected Versions ViMbAdmin version 3.0.15

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters, including the domain or transport parameter to the "domain/add" endpoint, the name parameter to the "mailbox/add/did/" endpoint, the goto parameter to the "alias/add/did/" endpoint, or the captchatext parameter to the "auth/lost-password" endpoint.

Recommendations For ViMbAdmin version 3.0.15, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the affected endpoints, such as "domain/add", "mailbox/add/did/", "alias/add/did/", and "auth/lost-password", to minimize the risk of exploitation. Additionally, avoid using the vulnerable parameters, such as domain, transport, name, goto, and captchatext, in the affected endpoints until the issue is resolved.