Title:

atmail 7 Stored XSS Vulnerability

Release Date:

June 23, 2017

Patch Date:

May 25, 2017

Reported Date:

February 23, 2017

Vendor:

atmail

Systems Affected:

atmail 7

Summary:

A stored XSS vulnerability was identified in the webmail component of atmail 7. By sending a specially crafted email to a victim, an attacker can include an XSS payload to steal user contacts, send arbitrary emails, expose inbox contents, and more.

Vendor Status:

This vulnerability was remediated in atmail 7.8.0.2, released on May 25, 2017.

Disclosure timeline:

2017-02-24 – Vulnerability reported

2017-02-27 – Report acknowledged

2017-05-25 – Patch released

Exploit Availability:

Full details regarding this vulnerability can be found in the accompanying blog post.

Researcher:

Zach Julian of Bishop Fox

For Reference:

Minor Update 7.8.0.2/ActiveSync 2.3.6