Answer
Overview
Cross-site scripting (XSS) vulnerability in the redirect page on the Kerio Connect 8.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via specially crafted Host header. That is improperly handled during rendering of the HTTP redirect response on product administration port (TCP 4040).
Impact
CVSS Base Score: 6.4
Impact Subscore: 4.9
Exploitability Subscore: 10
Overall CVSS Score: 5
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
Vulnerable versions
Kerio Connect 7.0.0 - 8.3.2
Technical details
Cross Site Scripting (XSS): CWE-79