Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user via a request to /FrontController; or conduct cross-site scripting (XSS) attacks via the (3) domainname parameter to /FrontController, when creating a new SMTP domain configuration; the (4) txtRecipient parameter to /FrontController, when creating a new forwarder; the (5) popFetchServer, (6) popFetchUser, or (7) popFetchRecipient parameter to /FrontController, when creating a new POP3 Fetcher account; or the (8) Smtp HELO domain in the Advanced Server Configuration.
Exploits (1)
exploitdb
WORKING POC
by Marlow Tannhauser · textwebappsphp
https://www.exploit-db.com/exploits/36949
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/show/osvdb/121847
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74578
Exploit exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/36949/
Exploit x_refsource_misc
http://packetstormsecurity.com/files/131844/Xeams-4.5-Build-5755-CSRF-Cross-Site-Scripting.html
Scores
EPSS
0.0037
EPSS Percentile
58.5%
Details
CWE
CWE-352
Status
published
Products (1)
synametrics/xeams
< 4.5
Published
May 20, 2015
Tracked Since
Feb 18, 2026