CVE-2023-48114

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions 8495 through 8664

Description The issue allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name.

Recommendations For versions 8495 through 8664, update to version 8747 or later to resolve the issue. As a temporary workaround, consider restricting the upload of SVG documents to minimize the risk of exploitation. Avoid using the image/svg+xml type in uploaded documents until the issue is resolved.