Smartertools Security Vulnerabilities
Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack...
8.8CVSS
5.9AI Score
0.001EPSS
A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack...
6.5CVSS
6.2AI Score
0.001EPSS
With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack...
9.1CVSS
6.9AI Score
0.001EPSS
Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack...
8.8CVSS
5.2AI Score
0.001EPSS
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar...
5.4CVSS
5.1AI Score
0.0004EPSS
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain...
5.4CVSS
5.2AI Score
0.0004EPSS
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same...
5.4CVSS
5.2AI Score
0.0004EPSS
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985...
9.8CVSS
9.5AI Score
0.81EPSS
Cross-site scripting (XSS) vulnerability in frmKBSearch.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the search...
5.9AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in frmTickets.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the email address field. NOTE: the provenance of this information is unknown; the details are obtained solely from third...
5.7AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a JavaScript alert function used in conjunction with the fromCharCode method, (2) a SCRIPT element, (3) a Cascading Style Sheets.....
5.8AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in SmarterTools SmarterStats 6.2.4100 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by Default.aspx and certain other...
5.9AI Score
0.002EPSS
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code...
9.8CVSS
9.8AI Score
0.012EPSS
6.1CVSS
6.2AI Score
0.001EPSS
SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the...
5.4CVSS
5.4AI Score
0.001EPSS
An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user...
8.1CVSS
8AI Score
0.003EPSS
6.1CVSS
6.3AI Score
0.001EPSS
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the....
6.5CVSS
6.6AI Score
0.001EPSS
SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file...
6.1CVSS
6.3AI Score
0.001EPSS
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing...
8.2CVSS
8.1AI Score
0.003EPSS
SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using.....
6.1CVSS
6.1AI Score
0.001EPSS
SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site...
6.1CVSS
6.1AI Score
0.003EPSS
SmarterTools SmarterStats 6.2.4100 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving frmCustomReport.aspx and certain other files. NOTE: it is possible that only clients,...
6.9AI Score
0.007EPSS
SmarterTools SmarterStats 6.2.4100 generates web pages containing external links in response to GET requests with query strings for frmGettingStarted.aspx, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer...
6.3AI Score
0.002EPSS
Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) Admin/frmSite.aspx, (2) Default.aspx, (3) Services/SiteAdmin.asmx, or (4) Client/frmViewReports.aspx; certain cookies to (5)....
8.8AI Score
0.002EPSS
The SmarterTools SmarterStats 6.0 web server does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error and daemon pause) via vectors involving (1) certain cookies in a SiteInfoLookup action to...
6.9AI Score
0.01EPSS
login.aspx in the SmarterTools SmarterStats 6.0 web server does not include the HTTPOnly flag in a Set-Cookie header for the loginsettings cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this...
6.3AI Score
0.004EPSS
The SmarterTools SmarterStats 6.0 web server allows remote attackers to obtain directory listings via a direct request for the (1) Admin/, (2) Admin/Defaults/, (3) Admin/GettingStarted/, (4) Admin/Popups/, (5) App_Themes/, (6) Client/, (7) Client/Popups/, (8) Services/, (9) Temp/, (10)...
6.8AI Score
0.004EPSS
The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/frmSite.aspx, (2) Admin/frmSites.aspx, (3)...
6.9AI Score
0.011EPSS
The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2)...
6.9AI Score
0.008EPSS
Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbitrary commands via vectors involving a leading and trailing & (ampersand) character, and (1) an STTTState cookie, (2) the ctl00%24MPH%24txtAdminNewPassword_SettingText parameter, (3) the...
7.9AI Score
0.003EPSS
Login.aspx in the SmarterTools SmarterStats 6.0 web server supports URLs containing txtUser and txtPass parameters in the query string, which makes it easier for context-dependent attackers to discover credentials by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the...
6.7AI Score
0.002EPSS
The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSettings.aspx components in the SmarterTools SmarterStats 6.0 web server generate web pages containing e-mail addresses, which allows remote attackers to obtain potentially sensitive information by reading the default values of form....
6.4AI Score
0.003EPSS
The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSettings.aspx, (3) Admin/frmSite.aspx, (4) Client/frmUser.aspx, and (5) Login.aspx components in the SmarterTools SmarterStats 6.0 web server accept cleartext passwords, which makes it easier for remote attackers to obtain sensitive...
6.3AI Score
0.003EPSS
The SmarterTools SmarterStats 6.0 web server generates web pages containing external links in response to GET requests with query strings for (1) Client/frmViewReports.aspx or (2) UserControls/Popups/frmHelp.aspx, which makes it easier for remote attackers to obtain sensitive information by...
6.3AI Score
0.004EPSS
Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended...
7.2AI Score
0.011EPSS
Directory traversal vulnerability in FileStorageUpload.ashx in SmarterMail 7.1.3876 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash) in the name...
6.5AI Score
0.01EPSS
Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url...
5.9AI Score
0.002EPSS
Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in SmarterMail 5.0.2999 allows remote attackers to cause a denial of service (service termination) via a long HTTP (1) GET, (2) HEAD, (3) PUT, (4) POST, or (5) TRACE request. NOTE: the provenance of this information is unknown;...
6.6AI Score
0.021EPSS
Cross-site scripting (XSS) vulnerability in SmarterTools SmarterMail Enterprise 4.3 allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute of an element in the Subject field of an e-mail...
5.6AI Score
0.006EPSS
Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename...
7.1AI Score
0.007EPSS
login.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service via a long txtusername parameter, possibly due to a buffer...
7.3AI Score
0.019EPSS
SMTP service in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous open connections to TCP port...
7AI Score
0.013EPSS
frmAddfolder.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote authenticated users to create a folder that SmarterMail cannot delete or rename via a folder name with a null byte ("%00"). NOTE: it is not clear whether this issue poses a...
6.6AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in frmCompose.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to inject arbitrary web script or HTML via Javascript to the "check spelling" feature in the compose...
6AI Score
0.008EPSS