Cross-Site Scripting (XSS) in NetWin SurgeMail

Posted date 29/11/2024

Identificador

INCIBE-2024-0589

Importance

3 - Medium

Affected Resources

SurgeMail, version 78c2.

Description

INCIBE has coordinated the publication of 1 medium severity vulnerability affecting SurgeMail, a secure multifunctional email server, which has been discovered by Cristhian Pacherres, Mauricio Jara and Alfredo Mariños.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2024-11990: CVSS v3.1: 4.6 | CVSS AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CWE-79.

Solution

The vulnerability has been fixed by the NetWin team in version 78e.

Detail

CVE-2024-11990 a Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could allow an attacker to execute arbitrary JavaScript code via an elaborate payload injected into vulnerable parameters.

References list

SurgeMail website

Etiquetas

0day
Update
CNA
Email
Vulnerability
XSS