11 results (0.005 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Mail Composer, which is mishandled in /MIME/INBOX-MM-1/ if the raw email link (in .txt format) is modified and then renamed with a .html or .wssp extension. CommuniGate Pro 6.2 permite Cross-Site Scripting (XSS) persistente mediante un cuerpo de mensaje en Pronto! Mail Composer, que se gestiona de manera incorrecta en /MIME/INBOX-MM-1/ si el enlace al email en bruto (en formato .txt) se modifica y después se renombra con una extensión .html o .wssp. CommuniGatePro Pronto webmail version 6.2 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/149916/CommuniGatePro-Pronto-Webmail-6.2-Cross-Site-Scripting.html https://drive.google.com/drive/folders/1irWaVi-AySHFFMap5pF1_7hk6mTeemDT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1

The "XML Interface to Messaging, Scheduling, and Signaling" (XIMSS) protocol implementation in CommuniGate Pro (CGP) 6.2 suffers from a Missing XIMSS Protocol Validation attack that leads to an email spoofing attack, allowing a malicious authenticated attacker to send a message from any source email address. The attack uses an HTTP POST request to a /Session URI, and interchanges the XML From and To elements. La implementación en el protocolo XIMSS (XML Interface to Messaging, Scheduling, and Signaling) en CommuniGate Pro (CGP) 6.2 sufre un ataque basado en la ausencia de validación del protocolo XIMSS que conduce a un ataque de suplantación de email, permitiendo a un atacante autenticado malicioso enviar un mensaje desde cualquier dirección de correo. El ataque utiliza una petición HTTP POST a la URI /Session e intercambia los elementos XML "From" y "To". CommunigatePro XML Interface to Messaging, Scheduling, and Signaling protocol ("XIMSS") version 6.2 suffers from a missing XIMSS protocol validation vulnerability that can lead to an email spoofing attack. • https://packetstormsecurity.com/files/145724/communigatepro62-spoof • CWE-287: Improper Authentication •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. Los componentes WebMail (Crystal, pronto y pronto4) en CommuniGate Pro en versiones anteriores a la 6.2.1 tienen vulnerabilidades de Cross-Site Scripting (XSS) persistente mediante (1) los campos location o details de una invitación de Google Calendar, (2) una invitación del calendario de Outlook (también conocida como Hotmail Calendar) manipulada, (3) un correo electrónico que proporciona acceso a un directorio que tiene JavaScript en su nombre, (4) JavaScript en un nombre de nota, (5) JavaScript en un nombre de tarea o (6) un correo electrónico HTML que se gestiona de manera incorrecta en el componente Inbox. CommuniGatePro version 6.1.16 suffers from multiple stored cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/43177 https://packetstormsecurity.com/files/145095/communigatepro-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 6%CPEs: 2EXPL: 1

Cross-site scripting (XSS) vulnerability in the WebMail system in Stalker CommuniGate Pro 5.1.8 and earlier, when using Microsoft Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via crafted STYLE tags. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el sistema WebMail de Stalker CommuniGate Pro 5.1.8 y anteriores, utilizando Microsoft Internet Explorer, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante etiquetas STYLE manipuladas artesanalmente. • https://www.exploit-db.com/exploits/30027 http://marc.info/?l=full-disclosure&m=117900749209206&w=2 http://osvdb.org/36017 http://secunia.com/advisories/25250 http://www.communigate.com/CommuniGatePro/History51.html http://www.scanit.be/advisory-2007-05-12.html http://www.securityfocus.com/bid/23950 http://www.securitytracker.com/id?1018048 http://www.vupen.com/english/advisories/2007/1795 https://exchange.xforce.ibmcloud.com/vulnerabilities/34266 •

CVSS: 7.5EPSS: 31%CPEs: 14EXPL: 1

CommuniGate Pro Core Server before 5.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via LDAP messages with negative BER lengths, and possibly other vectors, as demonstrated by the ProtoVer LDAP test suite. • https://www.exploit-db.com/exploits/27144 http://secunia.com/advisories/18640 http://www.gleg.net/advisory_cg.shtml http://www.securityfocus.com/archive/1/423364/100/0/threaded http://www.securityfocus.com/bid/16407 http://www.stalker.com/CommuniGatePro/History.html http://www.vupen.com/english/advisories/2006/0364 https://exchange.xforce.ibmcloud.com/vulnerabilities/24409 •