CVE-2018-18621 – CommuniGatePro Pronto Webmail 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-18621
CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Mail Composer, which is mishandled in /MIME/INBOX-MM-1/ if the raw email link (in .txt format) is modified and then renamed with a .html or .wssp extension. CommuniGate Pro 6.2 permite Cross-Site Scripting (XSS) persistente mediante un cuerpo de mensaje en Pronto! Mail Composer, que se gestiona de manera incorrecta en /MIME/INBOX-MM-1/ si el enlace al email en bruto (en formato .txt) se modifica y después se renombra con una extensión .html o .wssp. CommuniGatePro Pronto webmail version 6.2 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/149916/CommuniGatePro-Pronto-Webmail-6.2-Cross-Site-Scripting.html https://drive.google.com/drive/folders/1irWaVi-AySHFFMap5pF1_7hk6mTeemDT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-3815 – CommuniGatePro 6.2 Missing XIMSS Tag Validation
https://notcve.org/view.php?id=CVE-2018-3815
The "XML Interface to Messaging, Scheduling, and Signaling" (XIMSS) protocol implementation in CommuniGate Pro (CGP) 6.2 suffers from a Missing XIMSS Protocol Validation attack that leads to an email spoofing attack, allowing a malicious authenticated attacker to send a message from any source email address. The attack uses an HTTP POST request to a /Session URI, and interchanges the XML From and To elements. La implementación en el protocolo XIMSS (XML Interface to Messaging, Scheduling, and Signaling) en CommuniGate Pro (CGP) 6.2 sufre un ataque basado en la ausencia de validación del protocolo XIMSS que conduce a un ataque de suplantación de email, permitiendo a un atacante autenticado malicioso enviar un mensaje desde cualquier dirección de correo. El ataque utiliza una petición HTTP POST a la URI /Session e intercambia los elementos XML "From" y "To". CommunigatePro XML Interface to Messaging, Scheduling, and Signaling protocol ("XIMSS") version 6.2 suffers from a missing XIMSS protocol validation vulnerability that can lead to an email spoofing attack. • https://packetstormsecurity.com/files/145724/communigatepro62-spoof • CWE-287: Improper Authentication •
CVE-2017-16962 – CommuniGatePro 6.1.16 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16962
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component. Los componentes WebMail (Crystal, pronto y pronto4) en CommuniGate Pro en versiones anteriores a la 6.2.1 tienen vulnerabilidades de Cross-Site Scripting (XSS) persistente mediante (1) los campos location o details de una invitación de Google Calendar, (2) una invitación del calendario de Outlook (también conocida como Hotmail Calendar) manipulada, (3) un correo electrónico que proporciona acceso a un directorio que tiene JavaScript en su nombre, (4) JavaScript en un nombre de nota, (5) JavaScript en un nombre de tarea o (6) un correo electrónico HTML que se gestiona de manera incorrecta en el componente Inbox. CommuniGatePro version 6.1.16 suffers from multiple stored cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/43177 https://packetstormsecurity.com/files/145095/communigatepro-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •