CVE-2019-16414

Name of the Vulnerable Software and Affected Versions GFI Kerio Control version 9.3.0

Description A DOM-based XSS issue allows the embedding of malicious code, enabling the manipulation of the login page. This can lead to the theft of a victim's cleartext credentials, which are sent back to an attacker via a /login/?reason=failure&NTLM= URI.

Recommendations For GFI Kerio Control version 9.3.0, consider restricting access to the login page until a fix is available. As a temporary workaround, avoid using the login page with the NTLM parameter in the URI until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.