SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-21
Updated
2024-01-04
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-21
Updated
2024-01-04
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-21
Updated
2024-01-04
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-11-17
Updated
2021-11-18
SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the application.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-09-08
Updated
2021-09-14
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
Max CVSS
9.8
EPSS Score
1.13%
Published
2021-11-17
Updated
2021-11-18
SmarterTools SmarterMail before Build 7776 allows XSS.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-07-06
Updated
2021-07-13
An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session.
Max CVSS
8.1
EPSS Score
0.20%
Published
2021-08-17
Updated
2021-08-25

CVE-2019-7214

Public exploit
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
Max CVSS
10.0
EPSS Score
78.55%
Published
2019-04-24
Updated
2023-07-11
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories.
Max CVSS
6.5
EPSS Score
0.06%
Published
2019-04-24
Updated
2019-04-30
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists.
Max CVSS
8.2
EPSS Score
0.26%
Published
2019-04-24
Updated
2020-02-10
SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file attachment.
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-04-24
Updated
2019-04-29
SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an XSS attack, as the password reset page did not need the current password.
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-01-16
Updated
2019-01-24
Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a JavaScript alert function used in conjunction with the fromCharCode method, (2) a SCRIPT element, (3) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element, or (4) an innerHTML attribute within an XML document.
Max CVSS
4.3
EPSS Score
0.12%
Published
2012-09-19
Updated
2012-10-26
Directory traversal vulnerability in FileStorageUpload.ashx in SmarterMail 7.1.3876 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash) in the name parameter.
Max CVSS
5.0
EPSS Score
1.00%
Published
2010-09-22
Updated
2017-08-17
Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in SmarterMail 5.0.2999 allows remote attackers to cause a denial of service (service termination) via a long HTTP (1) GET, (2) HEAD, (3) PUT, (4) POST, or (5) TRACE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
5.0
EPSS Score
2.86%
Published
2008-04-16
Updated
2017-08-08
login.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service via a long txtusername parameter, possibly due to a buffer overflow.
Max CVSS
5.0
EPSS Score
1.87%
Published
2004-12-31
Updated
2017-07-11
Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename parameter.
Max CVSS
5.0
EPSS Score
0.66%
Published
2004-12-31
Updated
2017-07-11
Cross-site scripting (XSS) vulnerability in frmCompose.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to inject arbitrary web script or HTML via Javascript to the "check spelling" feature in the compose area.
Max CVSS
4.3
EPSS Score
0.78%
Published
2004-12-31
Updated
2017-07-11
frmAddfolder.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote authenticated users to create a folder that SmarterMail cannot delete or rename via a folder name with a null byte ("%00"). NOTE: it is not clear whether this issue poses a vulnerability.
Max CVSS
4.0
EPSS Score
0.20%
Published
2004-12-31
Updated
2017-07-11
SMTP service in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous open connections to TCP port 25.
Max CVSS
7.8
EPSS Score
1.30%
Published
2004-12-31
Updated
2017-07-11
21 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!