Smartertools: >> Smartermail Security Vulnerabilities
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-21
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-21
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-21
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
CVSS Score
9.8
EPSS Score
0.031
Published
2021-11-17
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
CVSS Score
6.1
EPSS Score
0.005
Published
2021-11-17
SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the application.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-09-08
An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session.
CVSS Score
8.1
EPSS Score
0.01
Published
2021-08-17
SmarterTools SmarterMail before Build 7776 allows XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-07-06
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories.
CVSS Score
6.5
EPSS Score
0.14
Published
2019-04-24
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
CVSS Score
9.8
EPSS Score
0.827
Published
2019-04-24
Page 1