#VU80408 Stored cross-site scripting in A.K.I Software products - CVE-2023-39223


Vulnerability identifier: #VU80408

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-39223

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PMailServer Free edition
Server applications / Other server solutions
PMailServer Standard edition
Server applications / Other server solutions
PMailServer Pro edition
Server applications / Other server solutions
PMailServer Standard + IMAP4 edition
Server applications / Other server solutions
PMailServer Pro + IMAP4 edition
Server applications / Other server solutions
PMailServer2 Standard edition
Server applications / Other server solutions
PMailServer2 Pro edition
Server applications / Other server solutions
PMailServer2 Standard + IMAP4 edition
Server applications / Other server solutions
PMailServer2 Pro + IMAP4 edition
Server applications / Other server solutions
PMailServer2 Enterprise edition
Server applications / Other server solutions

Vendor: A.K.I Software

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: The following CGIs included with the vulnerable products are affected by the vulnerability.

  • pmc.exe 2.5.1.720 and earlier
  • pmam.exe 2.5.1.1411 and earlier
  • pmmls.exe 2.5.1.561 and earlier
  • pmum.exe (Standard edition) 2.5.1.25451 and earlier
  • pmum.exe (Pro edition) 2.5.1.25452 and earlier
  • pmum.exe (Standard + IMAP4 edition) 2.5.1.25453 and earlier
  • pmum.exe (Pro + IMAP4 edition / Enterprise edition) 2.5.1.25454 and earlier
  • pmman.exe (Standard edition) 2.5.1.12154 and earlier
  • pmman.exe (Pro edition) 2.5.1.12155 and earlier
  • pmman.exe (Standard + IMAP4 edition) 2.5.1.12156 and earlier
  • pmman.exe (Pro + IMAP4 edition) 2.5.1.12157 and earlier
  • pmman.exe (Enterprise edition) 2.5.1.12158 and earlier

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PMailServer Free edition: All versions

PMailServer Standard edition: 1.91

PMailServer Pro edition: 1.91

PMailServer Standard + IMAP4 edition: 1.91

PMailServer Pro + IMAP4 edition: 1.91

PMailServer2 Standard edition: before 2.51a

PMailServer2 Pro edition: before 2.51a

PMailServer2 Standard + IMAP4 edition: before 2.51a

PMailServer2 Pro + IMAP4 edition: before 2.51a

PMailServer2 Enterprise edition: before 2.51a

External links
https://jvn.jp/en/jp/JVN92720882/index.html
https://akisoftware.com/Vulnerability202301.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in CGIs of PMailServer and PMailServer2