CVE-2017-17752

MEDIUM

Ability Mail Server 3.3.2 - Stored Cross-Site Scripting via Email Body

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-17752. PoCs published by Aloyce J. Makalanga.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Ability Mail Server 3.3.2 by sending an email with a malicious JavaScript payload in the body. The payload executes when the victim opens the email in the Read Mail screen.

Description

Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body of an e-mail message, with JavaScript code executed on the Read Mail screen (aka the /_readmail URI). This is fixed in version 4.2.4.

Exploits (1)

exploitdb WORKING POC

by Aloyce J. Makalanga · pythonwebappsmultiple

https://www.exploit-db.com/exploits/43378

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Ability Mail Server 3.3.2 by sending an email with a malicious JavaScript payload in the body. The payload executes when the victim opens the email in the Read Mail screen.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Ability Mail Server 3.3.2

Auth required

Prerequisites: SMTP access to the target mail server · Valid credentials for authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43378/

Scores

CVSS v3 6.1

EPSS 0.0138

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

codecrafters/ability_mail_server 3.3.2

Published Dec 20, 2017

Tracked Since Feb 18, 2026