CVE-2023-49575

Name of the Vulnerable Software and Affected Versions VX Search Enterprise version 10.2.14

Description A vulnerability has been discovered that could allow an attacker to execute persistent XSS through the "/setup smtp" API endpoint in the smtp server, smtp user, smtp password, and smtp email address parameters. This could allow an attacker to store malicious JavaScript payloads on the system to be triggered when the page loads.

Recommendations For version 10.2.14, consider disabling the "/setup smtp" API endpoint until a patch is available to prevent exploitation. Restrict access to the smtp server, smtp user, smtp password, and smtp email address parameters to minimize the risk of storing malicious JavaScript payloads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.