CVE-2023-48116: 
SmarterTools SmarterMail vulnerability analysis and mitigation

SmarterMail versions 8495 through 8664 before 8747 contains a stored Cross-Site Scripting (XSS) vulnerability in the calendar component. The vulnerability was discovered on December 21, 2023, affecting the calendar appointment description feature (NVD, Write-Ups).

The vulnerability exists due to insufficient filtering and sanitization of the 'description' parameter in calendar appointments. An attacker can exploit this by creating a malicious appointment in their calendar and sharing it with victims. The vulnerability can be triggered when victims access their calendar and click on the malicious appointment. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts in the victim's browser context, potentially leading to complete account takeover when victims view their calendar and interact with a malicious appointment (Write-Ups).

The vulnerability has been patched in SmarterMail Build 8747. Users are advised to upgrade to this version or later to mitigate the risk (Write-Ups, Release Notes).