Smartermail 6919 | Exploit

0;faa;0;2cb; 0;d7;0;f1; 0;88;0;98; 0;279;0;17a; 0;1152;0;b19;

1. Create a new calendar event in SmarterMail webmail.
2. In the "Location" field, enter: <script>alert('XSS')</script>
3. Save the event and refresh the calendar view.

   Attack Vector

   : An unauthenticated attacker can send specially crafted, serialized .NET objects to these endpoints. smartermail 6919 exploit

   • If you see a popup saying "XSS", your server is vulnerable.
   • If the text is shown as plain text or stripped, you are protected.

   CVE-2019-7212

   : Use of Hardcoded Secret Keys , which could facilitate further compromise. Create a new calendar event in SmarterMail webmail

   Immediate Mitigation Steps for Administrators