Filtered by vendor Gfi
Subscribe
Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23608 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint. An authenticated user can supply HTML/JavaScript in the JSON \"name\" field to /MailEssentials/pages/MailSecurity/MailMonitoring.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23609 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/PerimeterSMTPServers.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23610 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23611 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/ipblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23612 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_IPs parameter to /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23613 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /MailEssentials/pages/MailSecurity/uridnsblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23614 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework IP Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv2$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23615 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Sender Policy Framework Email Exceptions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23616 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter to /MailEssentials/pages/MailSecurity/AntiSpoofing.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23617 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Body) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvGeneral$TXB_Condition parameter to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23618 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23619 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 5.4 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Local Domains settings page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter to /MailEssentials/pages/MailSecurity/general.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user. | |||||
| CVE-2026-23620 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 4.3 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to File.Exists(), allowing the attacker to determine whether arbitrary files exist on the server. | |||||
| CVE-2026-23621 | 1 Gfi | 1 Mailessentials | 2026-02-20 | N/A | 4.3 MEDIUM |
| GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server. | |||||
| CVE-2025-34491 | 1 Gfi | 1 Mailessentials | 2025-11-04 | N/A | 8.8 HIGH |
| GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. A remote and authenticated attacker can execute arbitrary code by sending crafted serialized .NET when joining to a Multi-Server setup. | |||||
| CVE-2025-34490 | 1 Gfi | 1 Mailessentials | 2025-11-04 | N/A | 6.5 MEDIUM |
| GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files. | |||||
| CVE-2025-34489 | 1 Gfi | 1 Mailessentials | 2025-11-04 | N/A | 7.8 HIGH |
| GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. A local attacker can escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service. | |||||
| CVE-2025-2975 | 1 Gfi | 1 Kerio Connect | 2025-11-04 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in GFI KerioConnect 10.0.6 and classified as problematic. This issue affects some unknown processing of the file Settings/Email/Signature/EditHtmlSource of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2976 | 1 Gfi | 1 Kerio Connect | 2025-11-04 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in GFI KerioConnect 10.0.6. It has been classified as problematic. Affected is an unknown function of the component File Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2977 | 1 Gfi | 1 Kerio Connect | 2025-11-04 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in GFI KerioConnect 10.0.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||