CVE-2023-48114: 
SmarterTools SmarterMail vulnerability analysis and mitigation

SmarterTools SmarterMail versions 8495 through 8664 before 8747 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the application attempts to allow youtube.com URLs but fails to properly validate URLs, allowing an attacker to bypass restrictions using the @ character followed by an attacker-controlled domain name. This vulnerability was discovered and disclosed on December 21, 2023 (NVD).

The vulnerability stems from a flaw in the application's Anti-XSS mechanism. The sanitization function uses specific whitelists and blacklists to filter content, but has a flaw in its URL validation process. The application accepts URLs in the format 'youtube.com@attacker.com' as valid, bypassing the intended restrictions. The vulnerability can be exploited by using image/svg+xml content type and uploading an SVG document containing malicious code. The application's Content Security Policy (CSP) with frame-ancestors directive set to 'self' requires the payload to be hosted on the mail server itself (Write-Ups).

The vulnerability allows attackers with normal-access accounts to potentially take over other users' accounts by sending emails containing malicious JavaScript code. When victims open their inbox, the malicious code executes, potentially allowing attackers to extract the victim's accessToken and refreshToken (Write-Ups).

The vulnerability has been patched in SmarterMail Build 8747. Organizations should upgrade to this version or later to mitigate the risk. No other workarounds are documented (Release Notes).