Email Security Security Vulnerabilities

CVE-2023-43766

Certain WithSecure products allow Local privilege escalation via the lhz archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for.....

CVE-2023-43767

Certain WithSecure products allow Denial of Service via the aepack archive unpack handler. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac...

CVE-2023-43761

Certain WithSecure products allow Denial of Service (infinite loop). This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements.....

CVE-2023-43760

Certain WithSecure products allow Denial of Service via a fuzzed PE32 file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure...

CVE-2023-43765

Certain WithSecure products allow Denial of Service in the aeelf component. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure...

CVE-2023-42525

Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security...

CVE-2023-42524

Certain WithSecure products allow an infinite loop in a scanning engine via unspecified file types. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security...

CVE-2023-42521

Certain WithSecure products allow a remote crash of a scanning engine via processing of a compressed file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client...

CVE-2023-42522

Certain WithSecure products allow a remote crash of a scanning engine via processing of an import struct in a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later,...

CVE-2023-42523

Certain WithSecure products allow a remote crash of a scanning engine via unpacking of a PE file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for....

CVE-2023-42526

Certain WithSecure products allow a remote crash of a scanning engine via decompression of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client....

CVE-2023-42520

Certain WithSecure products allow a remote crash of a scanning engine via unpacking of crafted data files. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client...

CVE-2023-4599

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers....

CVE-2020-26082

A vulnerability in the zip decompression engine of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass content filters that are configured on an affected device. The vulnerability is due to improper handling of...

CVE-2021-4422

The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a....

CVE-2023-3168

The WP Reroute Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2023-3158

The Mail Control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 0.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages.....

CVE-2023-3166

The Lana Email Logger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, Lana Email Logger due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web.....

CVE-2023-3082

The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that.....

CVE-2023-20119

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager, formerly known as Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the....

CVE-2023-20028

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a...

CVE-2023-20120

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a...

CVE-2023-3407

The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to...

CVE-2023-1844

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and...

CVE-2023-2080

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud allows Blind SQL...

CVE-2023-1430

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...

CVE-2019-25144

The WP HTML Mail plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 2.2.10 due to insufficient input sanitization. This makes it possible for unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick a administrator.....

CVE-2019-25148

The WP HTML Mail plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 2.9.0.3 due to insufficient input sanitization. This makes it possible for unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick a administrator....

CVE-2019-25141

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify...

CVE-2019-25150

The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks against site...

CVE-2023-2781

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated...

CVE-2023-2868

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability.....

CVE-2023-2717

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other.....

CVE-2023-2716

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access....

CVE-2023-2715

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's....

CVE-2023-2735

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2736

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode...

CVE-2023-2714

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

CVE-2023-32980

A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified...

CVE-2023-32979

Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file...

CVE-2023-20075

Vulnerability in the CLI of Cisco Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary commands. These vulnerability is due to improper input validation in the CLI. An attacker could exploit this vulnerability by injecting operating system commands into a...

CVE-2023-20009

A vulnerability in the Web UI and administrative CLI of the Cisco Secure Email Gateway (ESA) and Cisco Secure Email and Web Manager (SMA) could allow an authenticated remote attacker and or authenticated local attacker to escalate their privilege level and gain root access. The attacker has to...

CVE-2023-25763

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected...

CVE-2023-25765

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller...

CVE-2023-25764

Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email...

CVE-2023-0655

SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email...

CVE-2023-20057

A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs. An attacker could.....

CVE-2022-44790

Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id...

CVE-2022-20942

A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA), Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to retrieve sensitive information...

CVE-2022-20960

A vulnerability in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of certain TLS connections that are processed by an...