Vulnerability Description
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
CVSS Score
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Smartertools | Smartermail | >= 16.0.8495, < 16.0.8747 |
Related Weaknesses (CWE)
References
- https://co3us.gitbook.io/write-ups/stored-dom-xss-in-email-body-of-smartermailExploitThird Party Advisory
- https://www.smartertools.com/smartermail/release-notes/currentRelease Notes
- https://co3us.gitbook.io/write-ups/stored-dom-xss-in-email-body-of-smartermailExploitThird Party Advisory
- https://www.smartertools.com/smartermail/release-notes/currentRelease Notes
FAQ
What is CVE-2023-48115?
CVE-2023-48115 is a vulnerability with a CVSS score of 5.4 (MEDIUM). SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
How severe is CVE-2023-48115?
CVE-2023-48115 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-48115?
Check the references section above for vendor advisories and patch information. Affected products include: Smartertools Smartermail.