CVE-2023-48115: 
SmarterTools SmarterMail vulnerability analysis and mitigation

SmarterTools SmarterMail versions 8495 through 8664 before 8747 contains a stored DOM XSS vulnerability. The vulnerability exists because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request (NVD). The vulnerability was disclosed on December 21, 2023.

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction. The scope is changed with low confidentiality and integrity impact, but no availability impact (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the victim's browser session when messageHTML and messagePlainText parameters are set simultaneously in a request. This could potentially lead to unauthorized access to user data or execution of malicious actions on behalf of the victim.

The vulnerability has been patched in SmarterMail version 8747. Users are advised to upgrade to this version or later to address the security issue (Release Notes).