Redirection page XSS in Kerio Connect versions 7 – 8.3.2

Answer

Overview

Cross-site scripting (XSS) vulnerability in the redirect page on the Kerio Connect 8.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via specially crafted Host header. That is improperly handled during rendering of the HTTP redirect response on product administration port (TCP 4040).

Impact

CVSS Base Score: 6.4

Impact Subscore: 4.9

Exploitability Subscore: 10

Overall CVSS Score: 5

CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

Vulnerable versions

Kerio Connect 7.0.0 - 8.3.2

Technical details

Cross Site Scripting (XSS): CWE-79

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted

Comments

Please sign in to comment