CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48114
https://notcve.org/view.php?id=CVE-2023-48114
21 Dec 2023 — SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name. SmarterTools SmarterMail 8495 a 8664 antes de 8747 permite XSS almacenado usando image/svg+xml y un documento SVG cargado. Esto ocurre porque la aplicación intenta permitir las URL de youtube.com, pero en realidad perm... • https://co3us.gitbook.io/write-ups/stored-xss-in-email-body-of-smartermail-cve-2023-48114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48115
https://notcve.org/view.php?id=CVE-2023-48115
21 Dec 2023 — SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request. SmarterTools SmarterMail 8495 a 8664 antes de 8747 permite DOM XSS almacenado porque se omite un mecanismo de protección XSS cuando messageHTML y messagePlainText se configuran en la misma solicitud. • https://co3us.gitbook.io/write-ups/stored-dom-xss-in-email-body-of-smartermail • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48116
https://notcve.org/view.php?id=CVE-2023-48116
21 Dec 2023 — SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment. SmarterTools SmarterMail 8495 a 8664 antes de 8747 permite almacenar XSS a través de una descripción manipulada de una cita del Calendario. • https://co3us.gitbook.io/write-ups/stored-xss-in-calendar-component-of-smartermail-cve-2023-48116 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43977
https://notcve.org/view.php?id=CVE-2021-43977
17 Nov 2021 — SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. SmarterTools SmarterMail versiones 16.x hasta 100.x anteriores a 100.0.7803 permite un ataque de tipo XSS • https://csirt.divd.nl/cases/DIVD-2021-00006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32234
https://notcve.org/view.php?id=CVE-2021-32234
17 Nov 2021 — SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. SmarterTools SmarterMail versiones 16.x hasta 100.x anteriores a 100.0.7803, permite una ejecución de código remota • https://csirt.divd.nl/cases/DIVD-2021-00006 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40377
https://notcve.org/view.php?id=CVE-2021-40377
08 Sep 2021 — SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the application. SmarterTools SmarterMail versión 16.x antes de la build 7866, presenta una vulnerabilidad de tipo XSS almacenado. La aplicación no sanea el contenido del correo electrónico, permitiendo así inyectar HTML y/o JavaScript en una página que luego será procesada y almacenada por la... • https://www.smartertools.com/smartermail/release-notes/current • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29548
https://notcve.org/view.php?id=CVE-2020-29548
17 Aug 2021 — An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session. Se ha detectado un problema en SmarterTools SmarterMail versiones hasta 100.0.7537. Unos atacantes de tipo "Meddler-in-the-middle" pueden canalizar comandos después de un comando POP3 STLS, inyectando comandos de texto plano en una sesión de usuario cifrada. • https://nostarttls.secvuln.info • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32233
https://notcve.org/view.php?id=CVE-2021-32233
05 Jul 2021 — SmarterTools SmarterMail before Build 7776 allows XSS. SmarterTools SmarterMail versiones anteriores al Build 7776, permiten una vulnerabilidad de tipo XSS • https://www.smartertools.com/smartermail/release-notes/current • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7213
https://notcve.org/view.php?id=CVE-2019-7213
24 Apr 2019 — SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories. SmarterTools SmarterMail versión 16.x anterior a la compilación 6985, permite el salto de directorios (directory traversal). Un usuario autenticado podría suprimir archivos arbitrarios o podría cr... • https://github.com/secunnix/CVE-2019-7213 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7212
https://notcve.org/view.php?id=CVE-2019-7212
24 Apr 2019 — SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists. SmarterTools SmarterMail 16.x antes de la compilación 6985 tiene claves secretas codificadas. Un atacante no autenticado podría acceder a los correos electrónicos y archivos adjuntos de otros usuarios. • https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail • CWE-798: Use of Hard-coded Credentials •