atmail 7 Stored XSS Vulnerability

Release Date:

June 23, 2017

Patch Date:

May 25, 2017

Reported Date:

February 23, 2017



Systems Affected:

atmail 7


A stored XSS vulnerability was identified in the webmail component of atmail 7. By sending a specially crafted email to a victim, an attacker can include an XSS payload to steal user contacts, send arbitrary emails, expose inbox contents, and more.

Vendor Status:

This vulnerability was remediated in atmail, released on May 25, 2017.

Disclosure timeline:

2017-02-24 – Vulnerability reported

2017-02-27 – Report acknowledged

2017-05-25 – Patch released

Exploit Availability:

Full details regarding this vulnerability can be found in the accompanying blog post.


Zach Julian of Bishop Fox

For Reference:

Minor Update 2.3.6