cbcvebase.
CVE-2017-16962
published 2017-11-27

CVE-2017-16962: The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of…

PriorityP336medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.19%
80.1th percentile
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component.

Affected

1 ranges
VendorProductVersion rangeFixed in
communigatecommunigate_pro< 6.2.16.2.1

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.