CVE-2017-16962

MEDIUM

CommuniGate Pro < 6.2.1 - Stored Cross-Site Scripting via Calendar Invitation or Directory Name

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16962. PoCs published by Boumediene KADDOUR.

AI-analyzed exploit summary This exploit demonstrates multiple stored XSS vulnerabilities in CommuniGatePro webmails (versions < 6.1.16). The PoC includes attack scenarios for Calendar, Files, Tasks, Notes, and Inbox, where malicious JavaScript is injected and executed when the victim interacts with the compromised content.

Description

The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component.

Exploits (1)

exploitdb WORKING POC
by Boumediene KADDOUR · textwebappsmultiple
https://www.exploit-db.com/exploits/43177

This exploit demonstrates multiple stored XSS vulnerabilities in CommuniGatePro webmails (versions < 6.1.16). The PoC includes attack scenarios for Calendar, Files, Tasks, Notes, and Inbox, where malicious JavaScript is injected and executed when the victim interacts with the compromised content.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: CommuniGatePro webmails (crystal, pronto, pronto4) < 6.1.16
Auth required
Prerequisites: Access to a local mailbox in the target system · Victim interaction (e.g., reading an email, accessing a shared directory)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/145095/communigatepro-xss.txt
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43177/

Scores

CVSS v3 6.1
EPSS 0.0219
EPSS Percentile 80.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
communigate/communigate_pro < 6.2.1
Published Nov 27, 2017
Tracked Since Feb 18, 2026