atmail 7 Stored XSS Vulnerability

Zach Julian

on Jun 23, 2017 1:24:27 PM

Patch Date

May 25, 2017

Reported Date

February 23, 2017

Vendor

ATMAIL

Systems Affected

atmail 7

Summary

A stored XSS vulnerability was identified in the webmail component of atmail 7. By sending a specially crafted email to a victim, an attacker can include an XSS payload to steal user contacts, send arbitrary emails, expose inbox contents, and more.

Vendor Status

This vulnerability was remediated in atmail 7.8.0.2, released on May 25, 2017. CVE-2017-11617 was issued to the vulnerability.

Disclosure timeline:

2017-02-24 – Vulnerability reported

2017-02-27 – Report acknowledged

2017-05-25 – Patch released

Exploit Availability

Full details regarding this vulnerability can be found in the accompanying blog post.

Researcher

Zach Julian of Bishop Fox

For Reference

Minor Update 7.8.0.2/ActiveSync 2.3.6

Index

Keywords

Cross-site Scripting

atmail 7 Stored XSS Vulnerability

Patch Date

Reported Date

Vendor

Systems Affected

Summary

Vendor Status

Exploit Availability

Researcher

Index

Keywords

Related Content

MANAGED SERVICES

CONSULTING SERVICES

PARTNER PROGRAMS

LABS | RESEARCH & RESOURCES

CAREERS

COMPANY

COMMUNITY

CONTACT

ADDRESS

atmail 7 Stored XSS Vulnerability

Patch Date

Reported Date

Vendor

Systems Affected

Summary

Vendor Status

Exploit Availability

Researcher

SHARE

Index

Keywords

Related Content

FIND OUT FIRST

MANAGED SERVICES

CONSULTING SERVICES

PARTNER PROGRAMS

LABS | RESEARCH & RESOURCES

CAREERS

COMPANY

COMMUNITY

CONTACT

ADDRESS