CVE-2015-9276

{"id": "CVE-2015-9276", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2019-01-16T16:29:00.197", "references": [{"url": "https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/technical-advisory-smartermail-stored-xss-in-emails-v2.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.nccgroup.trust/uk/our-research/smartermail-stored-xss-in-emails/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.smartertools.com/smartermail/release-notes/13", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an XSS attack, as the password reset page did not need the current password."}, {"lang": "es", "value": "SmarterTools SmarterMail, en versiones anteriores a la 13.3.5535, era vulnerable a Cross-Site Scripting (XSS) persistente mediante la omisi\u00f3n del mecanismo anti-XSS. Era posible ejecutar c\u00f3digo JavaScript cuando un usuario v\u00edctima abre o contesta al correo electr\u00f3nico del atacante, que conten\u00eda una carga \u00fatil maliciosa. Por lo tanto, las contrase\u00f1as de los usuarios podr\u00edan restablecerse utilizando un ataque XSS, ya que la p\u00e1gina de restablecimiento de contrase\u00f1a no necesitaba la contrase\u00f1a actual."}], "lastModified": "2019-01-24T21:28:57.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89F2FBA5-CD48-4945-B8A2-439094959D95", "versionEndExcluding": "13.3.5535"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}