CVE-2018-18621 – CommuniGatePro Pronto Webmail 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-18621
CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Mail Composer, which is mishandled in /MIME/INBOX-MM-1/ if the raw email link (in .txt format) is modified and then renamed with a .html or .wssp extension. CommuniGate Pro 6.2 permite Cross-Site Scripting (XSS) persistente mediante un cuerpo de mensaje en Pronto! Mail Composer, que se gestiona de manera incorrecta en /MIME/INBOX-MM-1/ si el enlace al email en bruto (en formato .txt) se modifica y después se renombra con una extensión .html o .wssp. CommuniGatePro Pronto webmail version 6.2 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/149916/CommuniGatePro-Pronto-Webmail-6.2-Cross-Site-Scripting.html https://drive.google.com/drive/folders/1irWaVi-AySHFFMap5pF1_7hk6mTeemDT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-16962 – CommuniGatePro 6.1.16 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16962
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. Los componentes WebMail (Crystal, pronto y pronto4) en CommuniGate Pro en versiones anteriores a la 6.2.1 tienen vulnerabilidades de Cross-Site Scripting (XSS) persistente mediante (1) los campos location o details de una invitación de Google Calendar, (2) una invitación del calendario de Outlook (también conocida como Hotmail Calendar) manipulada, (3) un correo electrónico que proporciona acceso a un directorio que tiene JavaScript en su nombre, (4) JavaScript en un nombre de nota, (5) JavaScript en un nombre de tarea o (6) un correo electrónico HTML que se gestiona de manera incorrecta en el componente Inbox. CommuniGatePro version 6.1.16 suffers from multiple stored cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/43177 https://packetstormsecurity.com/files/145095/communigatepro-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-0566
https://notcve.org/view.php?id=CVE-2006-0566
The LDAP component in CommuniGate Pro Core Server 5.0.7 allows remote attackers to cause a denial of service (application crash) via LDAP messages that contain Distinguished Names (DN) fields with a large number of elements. • http://secunia.com/advisories/18701 http://securityreason.com/securityalert/416 http://securitytracker.com/id?1015587 http://www.gleg.net/advisory_cg2.shtml http://www.osvdb.org/22932 http://www.securityfocus.com/archive/1/423968/100/0/threaded http://www.stalker.com/CommuniGatePro/History.html http://www.vupen.com/english/advisories/2006/0444 https://exchange.xforce.ibmcloud.com/vulnerabilities/24409 •