CVE-2022-40257

Name of the Vulnerable Software and Affected Versions CERT/CC VINCE versions prior to 1.50.4

Description An HTML injection issue exists due to the failure to neutralize special elements. This allows a remote attacker to inject arbitrary HTML code via a crafted email with HTML content in the Subject field. An authenticated attacker can exploit this to inject arbitrary HTML.

Recommendations For versions prior to 1.50.4, update to version 1.50.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTML content in email subjects to minimize the risk of exploitation.