October 6, 2014
The reported vulnerability involves a stored XSS vulnerability present in the calendar feature of Kerio Connect 8.1.
Reported by Géraud De Drouas from French Network and Information Security Agency (ANSSI).
Disclosure of sensitive information (session cookie for example).
CVSS Base Score: 5.5
Impact Subscore: 4.9
Exploitability Subscore: 8
Overall CVSS Score: 4.3
CVSS v2 Vector (AV:N/AC:L/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
Kerio Connect 8.1.0
Kerio Connect 8.1.1
Kerio Connect 8.1.2
Kerio Connect 8.1.3
Lack of user input control (CWE-79)