PT-2023-30704 · Smartertools · Smartermail
Published
2023-12-21
·
Updated
2024-01-04
·
CVE-2023-48115
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SmarterTools SmarterMail versions 8495 through 8664 before 8747
Description
The issue allows stored DOM XSS because an XSS protection mechanism is skipped when
messageHTML and messagePlainText are set in the same request.Recommendations
For versions 8495 through 8664 before 8747, update to version 8747 or later to resolve the issue.
As a temporary workaround, consider restricting the use of
messageHTML and messagePlainText in the same request until a patch is available.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Smartermail