Gfi Software Mailessentials Ai vulnerabilities

CVE-2026-23611 [MEDIUM] CWE-79 CVE-2026-23611: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/ipblocklist.aspx, which is stored and later rendered in the manageme

CVE-2026-23608 [MEDIUM] CWE-79 CVE-2026-23608: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the JSON \"name\" field to /MailEssentials/pages/MailSecurity/MailMonitoring.aspx/Save, which is stored and later rendered in the management interface, allow

CVE-2026-23616 [MEDIUM] CWE-79 CVE-2026-23616: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter to /MailEssentials/pages/MailSecurity/AntiSpoofing.aspx, which is stored and later rendere

CVE-2026-23614 [MEDIUM] CWE-79 CVE-2026-23614: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv2$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored and l

CVE-2026-23607 [MEDIUM] CWE-79 CVE-2026-23607: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spam Whitelist management interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtDescription parameter to /MailEssentials/pages/MailSecurity/Whitelist.aspx, which is stored and later rendered in the

CVE-2026-23620 [MEDIUM] CWE-203 CVE-2026-23620: GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnera GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Fil

CVE-2026-23610 [MEDIUM] CWE-79 CVE-2026-23610: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rende

CVE-2026-23618 [MEDIUM] CWE-79 CVE-2026-23618: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx, which is s

CVE-2026-23606 [MEDIUM] CWE-79 CVE-2026-23606: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtRuleName parameter to /MailEssentials/pages/MailSecurity/advancedfiltering.aspx, which is stored and later re

CVE-2026-23617 [MEDIUM] CWE-79 CVE-2026-23617: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Body) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvGeneral$TXB_Condition parameter to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx, which is stored and

CVE-2026-23609 [MEDIUM] CWE-79 CVE-2026-23609: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/PerimeterSMTPServers.aspx, which is stored and later rend

CVE-2026-23613 [MEDIUM] CWE-79 CVE-2026-23613: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /MailEssentials/pages/MailSecurity/uridnsblocklist.aspx, which is stored and later rendered in the mana

CVE-2026-23604 [MEDIUM] CWE-79 CVE-2026-23604: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in

CVE-2026-23612 [MEDIUM] CWE-79 CVE-2026-23612: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_IPs parameter to /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx, which is stored and later rendered in the managem

CVE-2026-23605 [MEDIUM] CWE-79 CVE-2026-23605: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/attachmentchecking.aspx, which is stored and later render

CVE-2026-23619 [MEDIUM] CWE-79 CVE-2026-23619: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/general.aspx, which is stored and later rendered in the management inte

CVE-2026-23615 [MEDIUM] CWE-79 CVE-2026-23615: GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored

CVE-2026-23621 [MEDIUM] CWE-203 CVE-2026-23621: GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vu GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and pass